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SECTION  1 

INTRODUCTION  AND  SIMIARY 


1.1  OBJECTIVE. 

Nuclear  Hardness  Management  is  currently  the  principle  bottleneck 
in  achieving,  with  confidence,  reasonable  levels  of  nuclear  hardness  in  tac¬ 
tical  electronic  system.  Techniques  and  devices  exist  whereby  electronic 
systems  can  be  hardened  to  accepted  tactical  nuclear  levels  (i.e.  those  up 
to  the  level  of  immediate  personnel  incapacitation).  The  means  whereby 
these  methods  can  be  applied  at  reasonable  cost  to  achieve  the  needed  hard¬ 
ness  are  in  question.  The  option  of  elaborate  test  and  analysis  programs, 
including  independent  hardness  audits  and  realistic  stress  exposures  fol¬ 
lowed  by  extensive  hardness  maintenance  and  surveillance  efforts,  is  not 
reasonable  for  tactical  systems.  The  current  practice  of  using  expert 
government  consultants  to  advise  program  managers  on  a  minimum  set  of  har¬ 
dening  and  hardness  validation  efforts  is  a  reasonable  near-term  expedient, 
but  a  more  objective  method  must  be  developed  for  the  long  term. 

This  report  establishes  the  basis  for  a  formal  and  objective 
Nuclear  Hardness  Management  methodology.  It  is  based  on  the  following  pre¬ 
mises: 


1.  The  ingredients  of  nuclear  hardness  management  should  be  as 
similar  as  possible  to  the  methods  used  to  manage  other  envi¬ 
ronmental  stresses  and  degrading  effects  (e.g.  Reliability), 
with  which  the  managers  and  engineers  are  already  familiar. 


2.  The  rules  for  applying  nuclear  effects  data  and  for  demon¬ 
strating  that  the  nuclear  hardness  requirements  have  been 
achieved  must  be  part  of  the  contract  package  during  the  com¬ 
petitive  phases  of  procurement. 

3.  Uncertainties  in  data,  analyses,  test  results,  and  extrapola¬ 
tion  to  realistic  conditions  are  compensated  by  demonstrated 
margins.  The  magnitudes  of  these  margins  are  legislated  by 
the  government,  based  on  the  best  available  technical  data. 

4.  The  design  and  test  organizations  are  provided  as  much  free¬ 
dom  of  choice  as  possible  to  allow  them  to  trade  off  hardness 
related  requirements  against  all  the  other  system  require¬ 
ments.  Only  if  some  design  choices  are  inherently  unharden- 
able  or  incapable  of  hardness  validation  with  any  reasonable 
margin  are  they  proscribed. 

5.  While  the  design  and  test  organizations  are  provided  the 
choice,  these  choices  will  be  biased  because  some  design  and 
validation  options  will  require  larger  safety  margins  or 
incur  more  cost  in  implementation. 

By  analogy  with  other  "-ilities",  the  implementation  of  Nuclear 
Hardness  Management  should  occur  through  various  documents  that  provide 
direction  and  guidance  to  the  participants  in  system  development  and  valida¬ 
tion  programs.  At  the  apex  of  this  document  tree  is  the  existing  DoDI 
4245.4,  which  directs  that  nuclear  survivability  (for  which  nuclear  hardness 
is  one  contributing  factor)  will  be  considered  by  the  DSARC  for  all  major 
DoD  systems,  and  will  be  considered  by  the  Service  acquisition  review  coun¬ 
cils  for  other  systems.  DoDI  4245.4  also  spells  out  the  authority  and 
responsibility  of  various  organizations  for  establishing  the  requirements, 
assuring  that  they  have  been  met,  and  reviewing  the  overall  program.  Other 


existing  documents  Include  each  Service's  regulation  (i.e.  AR  70-60, 
OPNAVINST  3401.3,  APR  80-38)  that  define  the  procedures  whereby  the  nuclear 
hardness  requirements  are  formulated  for  new  systems  developed  by  that  ser¬ 
vice.  Each  Service  has  established  organizations  (e.g.  the  Army's  Nuclear 
Survivability  Committee  and  its  Secretariat)  to  implement  these  procedures. 


What  is  now  needed  is  to  carry  this  process  much  further.  Having 
established  the  machinery  to  formulate  nuclear  hardness  criteria  in  environ¬ 
mental  form  (i.e.  the  environment  to  which  the  system  may  be  exposed  without 
unacceptable  response),  it  is  now  necessary  to  write  down  the  rules  by  which 
it  will  be  judged  that  the  criteria  have  been  satisfied,  and  to  provide  to 
the  development  organizations  the  tools  by  which  they  have  reasonable  expec- 
tatior  of  achieving  success  according  to  these  rules.  This  is  not  an  easy 
task:  a  lot  of  documents  are  needed  and  the  technical  decisions  that  underly 
these  rules  will  stress  our  understanding  of  the  nuclear  effects  phenomeno¬ 
logy  to  its  limits.  The  potential  impact  will,  however,  far  outweigh  the 
cost.  Even  the  impact  of  cutting  down  on  the  incessant  arguments  about,  "Is 
it  hard  or  not?"  will  save  a  lot  of  money  and  time. 


RECOMMENDATIONS. 


It  is  the  recommendation  of  this  report  that  a  variety  of  docu¬ 
ments  be  prepared,  to  supplement  the  technical  reports  already  provided  by 
DNA,  each  to  meet  a  specific  need.  These  documents  should  be  of  two  major 
classes: 


Directive  documents  that  can  be  cited  in  contracts  and  carry 
the  force  of  law/authority.  These  documents  must  be  specific 
and  pragmatic:  ideally  they  should  leave  no  question  whether 
a  program  has  or  has  not  complied  with  their  requirements. 
These  present  the  rules  of  Nuclear  Hardness  Management. 
These  rules  are  mandatory,  subject  to  specified  procedures 
for  granting  waivers. 


V'  W-  *. .>  ^  .  '•v  •  \  • 


2.  Advisory  documents  that  are  offered  to  the  system  development 
community  to  help  them  accomplish  the  design  and  testing  In 
compliance  with  the  Directed  rules.  Such  documents  are  use¬ 
ful,  but  not  mandatory. 

Within  the  class  of  Directive  documents,  there  are  the  following 

1.  Management  documents,  which  define  responsibilities,  proce¬ 
dures  and  authority  (e.g.  DoDI  4245.4  and  related  Service 
documents).  Such  documents  Insert  activities  related  to 
nuclear  hardness  Into  the  normal  flow  of  acquisition  manage¬ 
ment  at  all  levels.  As  discussed  above,  such  documents 
already  exist  at  the  highest  level;  the  need  Is  to  flow  down 
the  requirements  at  lower  management  levels,  probably  by 
amending  existing  documents  to  Insert  nuclear-hardness  speci¬ 
fic  requirements. 

2.  Hardness  Validation  Methodology  documents,  which  define  the 
rules  whereby  an  acceptable  hardness  validation  methodology 
can  be  developed  for  each  specific  system.  This  methodology 
will  usually  be  a  set  of  Individual  methods  (e.g.  analyses 
and  tests)  from  which  data  Is  provided  to  a  survivability 
assessment  (I.e.  prediction  of  system  response  to  realistic 
operational  conditions).  As  discussed  above,  the  Hardness 
Validation  Methodology  documents  will  provide  as  much  flexi¬ 
bility  of  choice  of  Individual  methods  as  possible,  subject 
to  legislated  completeness  criteria  and  required  margins,  so 
that  each  system  manager  can  choose  the  specific  methodology 
that's  most  appropriate  to  his  design. 


3.  Specification  formats,  which  identify  all  the  data  required 
for  an  item  specification  to  be  complete  enough  to  satisfy 
hardness  and  hardness  validation  requirements.  Specific  item 
specifications  (e.g.  with  specific  values  for  parameters) 
need  to  be  prepared  by  the  system  development  organization. 
However,  in  order  to  implement  hardness  validation  it's 
necessary  to  ensure  that  at  each  level  (i.e.  from  the  prime 
item  down  to  the  elementary  device  or  piece  part)  the  speci¬ 
fications  satisfy  minimum  completeness  conditions. 

4.  Standards,  which  establish  minimum  conditions  to  be  met  for 
any  method  used  in  the  Hardness  Validation  Methodology.  These 
include  standards  for  tests  (i.e.  each  test  type  should 
reference  a  Standard  that  ensures  that  any  competent  test 
organization  performing  the  same  test  will  measure  in  essen¬ 
tial  attributes  the  same  response),  and  for  analyses.  This 
does  not  imply  that  a  particular  computer  code  is  specified 
by  the  Standard,  only  that  any  acceptable  code  has  to  meet 
specified  minimum  conditions  (possibly  including  validation 
by  specified  test  problems). 

5.  Certified  Data,  which  provide  to  the  development  organiza¬ 
tions  data  and  relationships  that  are  accepted  by  the  govern¬ 
ment  as  being  valid  without  further  need  for  justification. 
While  such  documents  are  not  essential  to  the  management 
approach  being  recommended,  they  can  save  much  unnecessary 
and  duplicative  effort  in  applying  the  validation  methods. 

Examples  of  useful  (but  not  contractually  binding)  documents  are: 
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1.  Tutorials  to  explain  the  nuclear  weapons  phenomena  at  various 
levels  of  sophistication  for  various  audiences.  These  can  be 
at  the  level  required  by  persons  training  to  become  nuclear 
effects  experts,  they  can  serve  as  a  handbook  of  existing 
knowledge  (e.g.  EM-1),  and  they  can  provide  general  Insight 
to  aid  the  person  who  has  no  need  to  become  a  nuclear-effects 
specialist  (e.g.  design  engineer)  to  gain  sufficient  Insight 
to  perform  his  function. 

2.  Guideline  documents  to  assist  In  the  application  of  the 
various  mandatory  documents.  For  example,  the  Specification 
formats  can  be  supported  by  a  guideline  by  which  the  engineer 
can  be  aided  In  determining  the  values  to  be  Inserted  Into 
the  specifications.  Similarly,  there  are  guidelines  for  the 
designers  and  test  engineers,  which  assist  them  In  making  the 
decisions  and  In  Interpreting  the  results.  These  documents 
are  separate  from  the  Standards  that  Impose  legalistic  con¬ 
straints.  The  engineers  are  free  to  choose  different  methods 
from  those  recommended  In  the  Guidelines.  They  are  not 
allowed  to  violate  the  limits  on  acceptability  Imposed  by  the 
Standards.  This  Is  one  reason  for  presenting  the  Standards 
and  Guidelines  as  separate  documents:  It  avoids  confusion 
over  what  Is  mandatory  and  what  Is  discretionary. 

3.  Data  bases,  which  present  results  of  previous  tests  and 
analyses.  These  are  useful  for  the  design  and  test  organiza¬ 
tions,  but  they  are  distinct  from  the  Certified  Data  In  that 
the  user  has  the  responsibility  to  demonstrate  the  validity 
and  applicability  of  the  data  (presumably  by  criteria  Imposed 
by  the  Standards). 
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4.  Technical  Background  documents,  which  establish  the  technical 
foundation  for  the  formal  Methodology  and  Standards  docu¬ 
ments.  For  each  recipe  presented  in  the  mandatory  documents, 
a  Technical  Background  document  should  present  a  technical 
audit  trail,  including  the  assumptions  on  which  the  recipe  is 
based  and  the  evidence  that  appears  to  support  (or  contra¬ 
dict)  the  assumptions.  These  documents  are  intended  pri¬ 
marily  for  the  nuclear  effects  specialists,  rather  than  the 
applications  engineers.  They  are  essential  counterparts  to 
the  formal  recipes,  especially  to  facilitate  dealing  with 
changes  in  understanding  and  threats.  Technical  uncertain¬ 
ties  underlying  the  rules  must  be  documented  to  facilitate  an 
ongoing  expert  review  of  the  validity  of  the  rules,  but  the 
discussions  about  uncertainties  should  not  distract  from  the 
legalistic  nature  of  the  rules. 

The  principal  features  of  the  recommendations  of  this  report  are 
illustrated  by  the  foregoing  examples  and  discussion: 

1.  There  is  a  clear  distinction  between  government  mandated  pro¬ 
cedures  for  validating  the  nuclear  hardness  of  equipment  and 
the  technical  rationale  (and  risk)  underlying  those  proce¬ 
dures.  The  government  accepts  the  risk  of  the  procedures 
being  inadequate;  the  developer  accepts  the  risk  of  the 
equipment  not  complying  with  the  requirements  imposed  by  the 
procedures. 


2.  Where  there  are  uncertainties,  they  are  compensated  by  mar¬ 
gins.  Again  the  margins  are  mandated,  with  the  government 
accepting  the  risk  of  insufficiency  in  the  mandate. 
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3.  Within  the  bounds  of  adequacy  defined  by  the  Methodology, 
Standards  and  Specifications,  the  development  organization 
should  be  provided  with  the  greatest  possible  freedom  to  per¬ 
form  design  and  validation  tradeoffs  talcing  Into  account  a11 
factors.  Including  hardness  considerations. 

1.3  QUESTIONS. 

The  key  questions  that  may  need  to  be  answered  before  DNA  can 
decide  to  proceed  to  develop  the  required  documents  are: 

1.  Is  there  a  need? 

2.  Will  this  approach  satisfy  the  need? 

a.  Is  It  technically  feasible? 

b.  Is  It  practical? 

c.  Are  system  developers  likely  to  accept  it? 

3.  Is  the  expected  benefit  consistent  with  the  required  Invest¬ 
ment? 

Is  There  a  Need? 


It  appears  clear  that  a  need  for  a  better  formalism  for  judging 
the  adequacy  of  nuclear  hardening  military  systems,  especially  electronic 
systems.  Is  clearly  established  by  past  and  recent  experience.  While  some 
systems  programs  have  considerably  Improved  their  interactions  with  the 
nuclear  effects  technology  community,  making  increased  use  of  nuclear 
effects  expertise  to  influence  the  designs  of  the  system,  their  continues  to 
be  a  dichotomy  between  the  opinions  and  advice  of  nuclear  effects  experts 
and  what  Is  actually  Implemented  In  hardware,  and  in  the  extent  of  nuclear 
hardness  validation  test  programs.  There  is  even  considerable  disagreement 


between  the  experts  on  the  "how  much  hardening  is  enough."  This  disagree¬ 
ment  is  justification  for  programs  doing  less  than  some  of  the  nuclear 
effects  expert  advise;  if  the  experts  can't  agree  amoung  themselves,  a  pro¬ 
gram  manager  cannot  be  criticized  for  exercising  his  own  best  judgement  on 
the  extent  to  which  he  should  devote  the  taxpayers'  money  to  nuclear  har¬ 
dening  and  hardness  validation  tasks.  It  appears  clear  that  the  new  DoO 
instruction,  DoDI  4245.4  will  not  lead  to  an  increase  in  attention  to  nuc¬ 
lear  hardening  unless  there  are  reasonably  clear  criteria  for  success  by 
which  the  program  management  and  execution  can  be  judged.  It  is  unlikely 
that  the  ATSD/AE  will  be  able  to  persuade  the  DSARC  to  disapprove  a  program 
just  because  he  or  some  nuclear  effects  consultants  don't  believe  that  nuc¬ 
lear  hardening  was  carried  out  thoroughly  enough.  If  there  were  a  reason¬ 
able  standard  for  acceptable  hardening  and  hardness  validation,  such  disap¬ 
proval  could  be  based  upon  evidence  that  the  standard  was  not  heeded  in  the 
course  of  that  program.  We  submit,  therefore,  that  past  and  present  exper¬ 
ience  clearly  establish  that  there  is  a  need  for  an  agreed  upon  formalism  by 
which  adequacy  can  be  judged. 

Will  the  recommended  approach  satisfy  the  need? 

There  are  three  aspects  of  this  question  that  are  closely  interre¬ 
lated: 


a.  Is  it  technically  feasible? 

b.  Is  it  practical? 


c.  Are  system  developers  likely  to  accept  it? 


Taking  them  In  Inverse  order,  it's  asserted  that  if  the  procedures  are  both 
feasible,  practical,  and  enforceable  system  developers  will  comply  with 
them.  The  fundamental  rule  of  system  development  is  to  minimize  risk.  One 
element  of  risk  is  that  the  program  will  be  held  up  at  the  DSARC  for  lack  of 
satisfactory  hardness  validation.  This  risk  is  minimized  if  a  pre-estab¬ 
lished  set  of  rules  has  been  followed,  assuming  that  there  are  no  other 
severe  penalties  for  following  the  rules. 

That  raises  the  key  question  of  practicality,  which  can  be  quanti¬ 
fied  in  terms  of  the  penalties  (e.g.  cost,  schedule,  performance)  that  have 
to  be  absorbed  to  deal  with  hardness  according  to  the  prescribed  rules.  If 
these  penalties  are  severe,  they  are  difficult  to  comply  with.  Where  the 
penalties  are  negligible  the  designers  have  always  been  willing  to  incorpo¬ 
rate  hardness  features.  It's  in  the  middle  ground  where  tradeoffs  have  to 
be  made  between  hardness  features  and  other  system  parameters  that  objective 
rules  are  needed  that  will  produce  reasonable  results.  Many  system  organi¬ 
zations  have  already  performed  these  tradeoffs  and  have  incorporated  many 
hardening  features  as  a  result.  The  key  question  is  whether  the  results  are 
technically  adequate. 

Thus,  the  question  of  technical  feasibility  is  not  one  of  princi¬ 
ple,  but  one  of  practicality.  Is  it  possible  to  prescribe  an  objective 
method  of  hardness  validation  that  satisfies  technical  adequacy  requirements 
without  imposing  unrealistic  burdens  on  the  system  design  and  testing?  One 
argument  against  this  possibility  notes  that  the  ability  to  analyze  a 
nuclear  effects  response  is  limited  by  the  number  of  parameters  that  even 
our  most  sophisticated  computer  codes  can  handle.  In  practice  these  analy¬ 
ses  impose  obvious  simplifications  on  what  are  very  complex  objects.  At 
present  these  simplifications  are  the  result  of  individual  analyst's  judge¬ 
ments.  Each  analyst  tends  to  make  them  somewhat  differently.  How  can  one 
ever  write  an  objective  prescription  for  reducing  a  complicated  geometrical 
and  electrical  configuration  to  the  parameter  space  available  in  the  compu¬ 
tational  tools? 


The  answer  to  this  doubt  comes  from  taking  a  fundamentally  diffe¬ 
rent  point  of  view:  the  purpose  of  a  hardness  validation  analysis  is  not  to 
make  the  best  estimate  of  the  expected  response  of  a  system  to  a  nuclear- 
induced  stress,  but  to  establish  a  bound  on  the  response  that  falls  within 
the  range  of  acceptable  behavior.  This  approach  opens  up  new  avenues  of 
practicality  and  tradeoffs  between  margins  and  sophistication  of  validation 
methods.  It  also  establishes  the  basis  for  a  contractual  formality:  the 
margin  needed  to  compensate  for  uncertainties  in  various  methods  can  be 
officially  defined  and  contractually  imposed.  This  presents  the  developer 
with  the  ideal  risk-minimizing  approach:  he  is  held  blameless  as  long  as  he 
follows  the  prescribed  rules.  The  government  accepts  the  risk  that  the 
rules  are  later  found  to  be  inadequate. 

There  is  still  a  last  question:  is  there  a  reasonable  amount  of 
design  space  available  for  incorporating  enough  margin  to  make  up  for  the 
uncertainties  in  hardness  validation  methods?  We  believe  there  is,  as  wit¬ 
nessed  by  the  fact  that  this  procedure  is  commonly  used  to  deal  with  most 
nuclear  effects  design  issues.  On  many  occasions  developers  have  argued 
that  certain  tests  weren't  necessary  because  a  large  margin  was  incorporated 
into  the  design,  and  those  arguments  have  frequently  been  persuasive.  In 
those  cases  it  should  be  possible  to  formulate  criteria  by  which  the  conclu¬ 
sion  can  be  endorsed.  Furthermore,  we  believe  there  are  many  other  circum¬ 
stances  under  which  other  waivers  from  nuclear  effects  tests  could  have  been 
granted,  but  they  were  not  requested  because  the  tests  were  relatively  pain¬ 
less  to  the  developer.  In  some  cases,  the  same  programs  were  criticized  for 
not  addressing  another  issue,  for  which  no  money  was  available.  Clearly, 
saving  money  from  unnecessary  tests  is  worthwhile  when  there  are  more  criti¬ 
cal  issues  to  which  these  resources  could  be  directed. 


Is  the  Benefit  Consistent  with  the  Investment? 

A  sizeable  Investment  in  talent  and  money  will  be  required  to 
Implement  our  recommendations.  Translating  the  existing  knowledge  Into 
recipes  applicable  to  a  wide  range  of  circumstances  Is  technically  chal¬ 
lenging,  and  requires  a  discipline  that  Is  difficult  for  most  technical 
people  to  learn.  It's  expected  that  the  price  tag  will  be  a  few  million 
dollars  spread  over  a  few  years,  together  with  a  need  for  tight  management 
control  to  ensure  that  the  discipline  Is  maintained  (I.e.  avoid  converting 
these  resources  Into  funds  for  technical  hobby  shops).  We  believe  the  pay¬ 
back  to  the  na^'*on  will  be  many  times  the  Investment,  as  It  has  been  In 
every  other  engineering  area  when  It  has  become  a  formalized  discipline. 
Individual  decisions  relating  to  hardness  validation  for  single  systems  have 
a  price  tag  comparable  to  this  Investment.  It's  likely  that  the  effect  of 
this  discipline  on  the  hardness  of  one  major  military  system  will  pay  back 
the  total  cost.  Even  the  cost  of  arguing  about  hardness,  as  accumulated 
over  many  systems.  Is  comparable  to  the  Investment. 

1.4  ORGANIZATION  OF  REPORT. 

The  remainder  of  this  report  will  discuss  In  more  detail  these 
Issues,  Illustrating  them  to  make  credible  the  practicality  of  this 
approach.  In  Section  2  we  will  address  some  general  features.  Including  the 
role  of  various  documents,  a  hierarchical  approach  to  analysis/testing,  and 
the  Impact  of  statistical  considerations.  In  Section  3  we  will  present  in 
annotated  outline  form  an  electronics  hardness  validation  methodology  appli¬ 
cable  to  Army  tactical  systems.  Including  a  catalog  of  documents  needed  to 
support  It.  More  detailed  outlines  of  some  of  the  documents  are  Included  In 
Appendices. 
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SECTION  2 
PARTICULAR  ISSUES 


2.1  INTRODUCTION. 

In  this  report  we  take  the  point  of  view  that  achieving  hardness 
with  reasonable  confidence  requires  that  the  technology  of  hardening  be 
developed  into  a  mature  engineering  discipline.  The  interrelated  ingredi¬ 
ents  of  such  a  discipline  are: 

1.  Means  to  specify  contractually  in  pragmatic  terms  what  is 
required  i.e.,  what  data  are  required,  by  what  rules  are  the 
data  related  to  system  hardness,  how  does  the  manufacturer 
demonstrate  compliance  with  hardness  required?.  This  applies 
to  the  system  and  to  all  lower  levels  of  assembly  down  to  the 
piece-part. 

2.  Quantitative  infonriation  by  which  to  perform  design  trade¬ 
offs  (e.g.,  parametric  interrelations  between  hardness 
achievements  and  other  factors,  such  as  performance,  weight, 
cost,  etc.). 

3.  Calculational  and  experimental  tools  needed  to  perform  the 
design  trade-offs  (e.g.,  numerical  and  experimental  simula¬ 
tion). 

4.  Documentation  of  these  techniques  and  data  in  textbooks, 
handbooks,  design  guidelines,  specifications  and  standards  so 
that  design  and  evaluation  engineers  can  learn  to  use  them, 
in  effect  incorporating  them  as  an  integral  part  of  the 
design  process. 
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5.  Procedures  for  design  review,  equipment  qualification,  and 
unit  acceptance. 

The  analog  to  reliability  engineering  is  particularly  instructive. 
The  prime  item  specification  generally  includes  minimum  reliability  require¬ 
ments  (e.g..  Mean  Time  Between  Failure)  and  may  also  prescribe  some  of  the 
results  whereby  the  design  is  to  be  accomplished  (e.g.,  factors  for  acceler¬ 
ated  testing  of  devices  on  which  adequate  statistical  data  are  unavailable; 
proscription  against  the  use  of  certain  designs).  A  review  procedure  may  be 
required,  including  a  review  board  in  which  a  representative  of  the  customer 
and  his  expert  consultants  participate. 

The  prime  item  designer  then  allocates  the  reliability  budget 
among  the  various  subsystems.  The  same  procedure  is  followed  to  translate 
the  subsystem  requirements  into  pragmatic  procedures  applied  to  the  design 
and  qualification  of  each  subsystem,  and  so  forth  down  to  elementary  parts 
and  materials. 

Of  course  the  practice  is  not  as  complete  as  implied  above. 
Experience  has  taught  that  many  features  are  not  critical  for  reliability 
and  can  be  dealt  with  casually.  Others  are  recognized  to  be  critical,  fre¬ 
quently  because  of  the  unsatisfactory  experience  in  some  other  applications. 
Reliability  is  a  strong  force  for  conservative  design:  promoting  the  use  of 
materials  and  devices  that  have  demonstrated  reliability.  New  technologies 
offer  the  promise  of  increased  capability,  but  usually  at  some  risk  of 
introducing  a  new  (usually  unexpected)  failure  mode. 

Important  tools  for  reliability  and  engineering  include: 


1. 


Previous  design  experience,  including  the  resulting  data 
base. 
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2.  Standards  and  specifications:  ways  of  doing  things  that  are 
reasonably  invariant  to  who  is  doing  them. 

3.  Accelerated  testing:  means  of  establishing  acceptable  long¬ 
term  performance  by  short  term  overstressing  (either  for  lot 
quality  sampling  or  nondestructive  screens). 

4.  Nondestructive  and  destructive  testing  (screen  or  sampling). 

5.  Independent  reliability  audits  by  a  quality  control  staff 
separate  from  design  staff. 

6.  Appropriate  and  defined  procedures  for  statistical  treatment 
of  data. 

As  a  result  of  applying  these  tools,  the  system  is  designed  so 
that  adequate  performance  is  maintained  in  spite  of  the  inevitable  parameter 
variations.  Reliability  critical  items  are  flagged  for  particular  atten¬ 
tion,  including  special  quality  control  measures  when  needed. 

By  comparison,  hardening  technologies  have  not  achieved  the  status 
of  a  mature  engineering  discipline.  A  large  body  of  knowledge  exists. 
Experts  can  recommend  design  practices  that  are  likely  to  harden  a  system, 
but  rarely  is  the  information  suitable  for  quantitative  judgement  in  trade¬ 
offs  between  hardness  and  opposing  factors.  As  a  result  most  system  harden¬ 
ing  efforts  have  concentrated  on  obvious  problems  and  on  solutions  that  made 
relatively  little  negative  impact  otherwise.  The  hardness  of  the  end  pro¬ 
duct  is  debatable:  the  designers  point  to  the  hardening  features;  the 
critics  point  to  the  remaining  uncertainties;  the  designers  retort  by  accus¬ 
ing  the  critics  of  promoting  their  own  hobby;  etc. 


This  report  outlines  the  makeup  of  a  future  engineering  discipline 
for  hardening  tactical  ground  systems  to  the  stresses  produced  by  nuclear 
radiation  and  nuclear  EMP  exposure.  The  methodology  as  described,  is  based 
on  existing  knowledge  extrapolated  by  judgement. 

The  approach  taken  is  that  the  experts  knowledge  should  be  trans¬ 
lated  into  codified  procedures  (i.e.,  recipes)  to  be  applied  by  the  SPO, 
designers  and  vendors.  In  particular,  uncertainties  (due  to  lack  of  know¬ 
ledge,  complexity,  statistical  variations,  etc.)  should  be  reflected  in  pre¬ 
scribed  design  margins  or,  equivalently,  methods  to  establish  worst  case 
limits  and  relevant  tests.  This  approach  does  not  exclude  rules  that  pro¬ 
hibit  some  designs  (either  specifically  or  by  imposing  unacceptable  design 
margins).  We  believe  however  that  the  hardening  technologists  should  not 
try  to  legislate  what  designs  should  be  used;  their  lack  of  expertise  in  the 
many  factors  not  related  to  hardness  is  likely  to  lead  to  faulty  design,  or 
a  nonoptimal  one.  If  it  is  necessary  to  proscribe  a  design  concept  because 
it  is  inherently  impossible  to  maintain  or  establish  its  hardness,  so  be 
it.  But  we  must  leave  the  designers  as  much  room  in  the  multi -parameter 
design  space  as  possible.  This  situation  too  has  its  analog  in  non-nuclear 
reliability. 

There  is  a  legitimate  concern  over  a  serious  asymmetry  between 
normal  reliability  and  nuclear  reliability:  most  but  not  all  normal  relia¬ 
bility  weaknesses  come  to  light  during  peacetime  operation  and  testing. 
Nuclear  reliability  test  programs  are  not  likely  to  become  as  extensive  and 
realistic  as  missile  test  flights.  While  most  items  will  be  exposed  to  a 
wide  range  of  non-nuclear  stresses  (e.g.,  acceleration,  vibration,  vacuum) 
both  during  testing  and  operation,  the  specified  nuclear  environment  is  a 
worst  case  envelope  to  which  only  a  small  fraction  of  the  force  is  likely  to 
be  exposed.  These  factors  must  be  weighed  seriously  in  establishing  dis¬ 
cipline.  In  general  this  situation  should  produce  more  conservative  designs 
(i.e.  larger  design  margins)  to  compensate  for  less  realistic  testing  for 
nuclear  as  compared  to  non-nuclear  reliability. 
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The  remainder  of  this  Section  will  develop  this  view  In  more 
detail.  In  Section  2.2  we  will  use  a  particular  example  of  a  procurement 
specification  to  Illustrate  the  existing  controls  on  the  Reliability  program 
and  other  -llltles,  and  point  out  the  comparative  lack  of  maturity  In  refer¬ 
ences  to  Hardness  Management  procedures.  Section  2.3  will  discuss  In  more 
detail  the  definitions  and  characteristics  of  various  documents  that  need  to 
be  prepared  to  support  the  recommended  Hardness  Management  procedures.  Sec¬ 
tion  2.4  will  address  one  of  the  critical  Issues:  how  to  deal  with  varia¬ 
tions  and  other  uncertainties.  Section  2.5  develops  In  more  general  form 
the  tradeoffs  available  to  the  development  organization  resulting  from  a 
hlerarchlal  structure  of  analysis  and  test  methods.  Section  2.6  describes  a 
tool  that  aids  In  simplifying  the  hardness  assessment  problem:  the  zone 
concept.  Finally,  Section  2.7  describes  the  Impact  of  margins  on  hardness 
assurance,  maintenance,  and  surveillance. 

2.2  PROCUREMENT  PROCESS. 

Hardness  Management  will  be  more  efficient  and  more  easily 
accepted  by  developers  If  the  techniques  follow  as  closely  as  possible  those 
already  applied  In  other  areas,  with  which  the  managers  and  engineers  are 
already  familiar.  It  Is  Instructive,  therefore,  to  review  the  kind  of  docu¬ 
ments  that  are  commonly  used  In  procuring,  designing  and  testing  electronic 
hardware.  Irrespective  of  nuclear  effects  requirements. 

Whether  an  Item  to  be  developed  is  a  major  system  (e.g.  missile) 
or  a  small  part  of  a  system  (e.g.  electronic  device  or  module)  the  necessary 
characteristics  of  the  item  are  defined  In  a  Procurement  Specification.  In 
principle,  this  document  defines  In  a  legally  enforceable  manner  those  capa¬ 
bilities  and  environmental  tolerances  that  the  Item  must  have  to  be  accept¬ 
able.  Part  of  the  specification  deals  with  the  specific  capabilities 
required  to  perform  the  mission  (e.g.  the  range/payload  and  CEP  of  the  mis¬ 
sile,  the  gain  and  stability  of  an  amplifier).  Another  part  establishes  the 


means  by  which  these  capabilities  must  be  demonstrated  (e.g.  the  number  of 
test  flights  and  associated  success  rate,  the  test  methods  and  environmental 
variables  for  the  amplifier  gain  measurements).  Another  part  addresses  a 
large  number  of  auxiliary  issues  that  are  normally  overlooked  by  scientists, 
but  represent  the  backbone  of  system  engineering.  These  are  usually  covered 
by  reference  to  a  long  list  of  government  documents  (e.g.  MIL-STD's  and 
others)  that  prescribe  how  things  are  to  be  done,  and  sometimes  proscribe 
some  options. 

2.2.1  Reliability  Example. 

This  point  can  best  be  illustrated  by  reference  to  a  specific  pro¬ 
curement  specification,  one  prepared  by  Westinghouse  Electric  Corporation  to 
procure  an  Output  Device  for  Airborne  Radio  Receiver  Miniature  Receive  Ter¬ 
minal  (MRT).  In  this  case  the  specification  covered  an  item  to  be  furnished 
by  a  subcontractor  to  Westinghouse,  who  would  incorporate  it  into  the  Air¬ 
borne  Radio  Receiver  for  delivery  to  the  Government.  Sections  of  this  Spe¬ 
cification  will  now  be  used  to  illustrate  the  procurement  process.  This 
Specification  is  typical  of  specifications  at  all  levels  of  assembly.  As  a 
matter  of  fact,  it  can  be  safely  assumed  that  many  of  the  entries  in  this 
Specification  are  simply  copied  from  the  higher  level  specifications  levied 
on  Westinghouse  by  the  Government. 

The  Table  of  Contents  for  the  Specification  is  shown  in  Figure  1. 
Normally,  our  attention  would  focus  on  Section  3,  which  appears  to  contain 
the  meat  of  the  matter:  what  is  the  item  supposed  to  do.  However,  a  major 
input  comes  from  Section  2,  Applicable  Documents.  This  section  is  repro¬ 
duced  in  Figure  2.  It  consists  of  7  pages  of  document  titles,  each  of  which 
comprise  many  pages.  Yet  the  beginning  of  Section  2.1  states,"  The  follow¬ 
ing  documents -  form  a  part  of  this  specification  - ".  While  it 

is  tempting  to  discard  this  as  so  much  bureaucratic  red  tape,  the  contractor 
who  does  so  is  flirting  with  insolvency.  Most  of  these  documents  are  not  to 
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1  0  SCOPE ■ 


Item  Description.  This  specification  establishes  the 
performance,  design,  development,  and  test  requirements  for  the 
Output  Device  for  the  Miniature  Receive  Terminal  (MRT)  herein 
referred  to  as  the  Printer. 


2 . 0  APPLICABLE  DOCUMENTS. 

2.1  Government  Documents .  The  following  documents  of  the  exact 
issue  shown  form  a  part  of  this  specification  to  the  extent 
specified  herein.  In  the  event  of  conflict  between  the  documents 
referenced  herein  and  the  contents  of  this  specification,  the 
contents  of  this  specification  shall  be  considered  a  superseding 
requirement . 

SPECIFICATIONS ; 


Military 


MIL-G-3056D 

Gasoline,  Automative,  Combat 

29 

Sep 

1975 

Amendment  2 

5 

Jul 

1979 

MIL-B-5087B 

Bonding,  Electrical,  and  Lighting 
Protection,  for  Aerospace  Systems 

3  1 

Aug 

1970 

Amendment  2 

12 

Jul 

1977 

MIL-E-54.00T 

Electronic  Equipment,  Airborne, 

General  Specification  for 

15 

Nov 

1979 

Amendment  1 

5 

Sep 

1930 

MIL-H-5606E 

Hydraulic  Fluid,  Petroleum  Base, 
Aircraft  Missile  and  Ordnance 

29 

May 

1980 

Amendment  1 

2 

Mar 

19  34. 

Figure  2.  Referenced  specifications  no.  645A094. 


23 


Specification  No.  64.5A094. 
Date;  1  March  1985 
Page  2 


MIL-T-5624.L  Turbine  Fuel.  Auiation.  JPi  and  JP5 

Amendment  2 

MIL-E-60510  Electromagnetic  Compatibility 

Requirements  Systems 

Amendment  1 

MIL-F-7179E  Finishes  and  Coatings;  Protection 

of  Aerospace  Weapons  Systems, 
Structures  and  Parts.  General- 
Specification  for 

Amendment  1 

MIL-L-7808J  Lubricating  Oil,  Aircraft  Turbine 

Engine  Synthetic  Base 

MIL-a-78a3B  Brazing  of  Steels,  Copper.  Copper 

Alloys,  Nickel  Alloys.  Aluminum 
and  Aluminum  ALloys 

MIL-S-8516E  Sealing  Compound,  Polysulfide 

Rubber.  Electronic  Connectors  and 
Electric  Systems,  Chemically  Cured 

Amendment  2 

MIL-P-9024.G  Packaging.  Materials  Handline  and 

Transportability.  System  i.  System 
Segments;  General  Specification  for 

MIL-P-1394.9F  Plastic  Sheet.  Laminated,  Metal 

Clad.  (For  Printed  Wiring)  General 
Specification  for 

Supplement  1 

Amendment  3 

MIL-F-14.25fiD  Flux,  Soldering.  Liquid  (Rosin  Base) 

Amendment  2 


18  May  1979 

10  Aug  1983 

7  Sep  1967 

5  Jul  1968 
15  Now  1972 

19  Sep  1974 

11  May  1932 

20  Feb  1968 

30  Jul  1971 

29  Sep  1972 

6  Jun  1972 

5  Dec  1977 

10  Mar  1981 
24  Apr  1984 

17  Aor  1972 

21  Jan  1980 


MIL-S-19500G  Semiconductor  Device,  General  15  Feb  1934 

Specification  for 

MIL-S-23586D  Sealing  Compound.  Electrical  29  Dec  1981 

Silicone  Ruober.  Accelerator 
Required 


Figure  2.  Referenced  specifications  no.  645A094  (continued). 
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MIL-S-2 504.7C  Marking  and  Exterior  Finish  Colors 
for  Airplanes.  Airplane  Parts  and 
•  Missiles 


Amendment  1 


MIL-C-38999H 


Supplement  1 
Amendment  1 


Connector,  Electrical.  Circular 
Miniature,  High  Density,  Quick 
Disconnect  (Bayonet,  Threaded, 
and  Breech  Coupling).  Environment 
Resistant,  Remouable  Crimp  and 
Hermetic  Solder  Contacts,  General 
Specification  for 


MIL-I-4.5208 
Amendment  1 


Inspection  System  Requirements 


MIL-H-4.6855B 


Human  Engineering  Requirements  for 
Military  Systems,  Equipment  and 
Facilities 


Amendment  1 


MIL-E-i7220A  Coolant  Fluid,  Dielectric 

MIL-P-55110  Printed  Wiring  Boards 


Amendment  5 


MIL-C-55543A 


Notice  1 


Cable.  Electrical,  Flat  Multi¬ 
conductor,  Flexible,  Unshielded 


MIL-P-55617B 


Amendment  1 


Plastic  Sheet.  Thin  Laminate, 
Copper  Clad  (For  Printed  Wiring, 
Primary  or  Multilayer) 


MIL-G-556360  Glass  Cloth,  Resin  Preimpregnated 


MIL-I-31550C  Insulating  Compound,  Electrical, 
Embedding  Reversion  Resistant 
Silicone 


MIL-?-ai728A 
Amendment  1 


Plating,  Tin  Lead  (Electrodeposited ) 


MIL-C-332a6B 


Amendment  2 


Coating,  Urethane,  Aliphatic, 
Isocyanate  for  Airplane  Applications 


18  Jun  1968 


12  Nov 


27  Feb 


21  Seo 
15  Jun 


198  1 
1981 


16  Dec 
21  Jul 


1963 
193  1 


31  Jan  1979 


5  Apr  1982 


29  Dec 
18  Jul 
28  Mar 


1979 

1978 

1981 


6  Oct  1971 


1  Apr 


10  Sep 


3  Jun  1977 


11  Jul 


27  Dec 
23  Mar 


1977 
19  30 


18  Jun  1975 


19  Aug  1980 


Figure  2.  Referenced  specifications  no.  645A094  (continued). 
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MIL-C-837230 

Connector,  Electrical,  (Circular, 
Environmental  Resisting),  Receptables 
and  Plugs,  General  Specification  for 

27 

Dec 

1977 

Supplement  1 

27 

Dec 

1977 

MIL-C-837338 

Connector,  Electrical.  Miniature 
Rectangular  Type.  Rack  to  Panel, 
Environment  Resisting,  200  Deg.  C 

Total  Continuous  Operating 

Temperature,  General  Specification  for 

10 

Dec 

1980 

Amendment  1 • 

29 

Mar 

1980 

Supplement  1 

Other  Gouernment  Actiuitv 

10 

Dec 

1980 

DOD-D-IOOOB 

Drawings,  Engineering  i  Associated 

Lists 

23 

Oct 

1977 

Amendment  1 

30 

Nov 

1978 

ESD-616A-84.-1 

System  Specification  For  Airborne 

Radio  Receiver  Miniature  Receive 

Terminal  (MRT)  AN/ARR-XXX 

1  1 

Jan 

1985 

NSA  68-3E 

NSA  Specification  For  Rigid  Multi¬ 
layer  Printed  Circuit  Boards  (Plated 
through  Holes) 

21 

Dec 

1978 

STANOARDS : 

federal 

fed-STD-595A 

Color 

2 

Jan 

1963 

Notice  8 

30 

Aug 

1984. 

Military 

MIL-STD-129H 

Marking  for  Shipment  and  Storage 

1 

w 

Jan 

197  3 

Notice  4. 

30 

Sep 

19  8  2 

MIL-S7D-130F 

Identification  Marking  of  US 

Military  Property 

2  1 

Ma  y 

1982 

Notice  1 

2 

Jul 

1984. 

MIL-STD-14.3B 

Standards  and  Specifications,  Order 
of  Precedence  for  the  Selection  of 

12 

Nov 

1969 

MIL-STD-188C 

Military  Communication  System 

Technical  Standards 

24. 

Nou 

1969 

Notice  1 

1 

Jun 

1975 

Notice  2 

1 

2  Nou 

1976 

Figure  2.  Referenced  specifications  no.  645A094  (continued) 
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MIL-STD-202F  Test  Methods  for  Electrical  and 
Electronic  Components  Parts 

Notice  5 

MlL-STD-275  Printed  Wiring  For  Electronic  Equipment 

Notice  5 

MlL-STD-4.5iJ  Standard  General  Requirements  for 
Electronic  Equipment 

Notice  1 

MlL-STD-4.6  1 S  Electromagnetic  Emission  and 

Susceptibility  Requirements  for 
the  Control  of  Electromagnetic 
Interf erence 

MlL-STD-462  Electromagnetic  Interference 

Charac  tens  tics 

Notice  4. 

MlL-STD-7040  Aircraft  Electric  Power 
Characteristics 

MlL-STD-7568  Reliability  Modeling  and  Predictions 

Notice  1 

MlL-STD-7858  Reliability  Program  for  Systems 

Equipment  Deuelopment  &  Production 

Ml L-STD-794-E  Part  and  Equipment,  Procedures  for 

Packaging  and  Packing  of 

MlL-STD-8100  Environmental  Test  Methods 

MIL-STD-883D  Test  Methods  and  Procedures  for 
Microelectronics 

Notice  1 


MlL-STD-1338-  Logistic  Support  Analysis 
lA 


I  Apr  1980 
23  Mar  1984 
26  Apr  1978 

7  red  1984 
3C  Apr  1984 

30  Aug  1984 
1  Apr  1930 

31  Jul  1977 
1  Apr  1980 

30  Sep  1980 

18  Nov  1981 

31  Aug  1982 

15  Sep  1980 

15  Oct  1981 

19  Jul  1983 
31  Aug  1977 
21  Jul  1973 

II  Apr  1983 


MIL-STD- 1 472C  Human  Engineering  Design  Criteria  2  May  1981 

for  Military  Systems,  Equipment  and 
Facilities 

Notice  2  10  May  1973 


Figure  2.  Referenced  specifications  no.  645A094  (continued). 
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OTHER  PUBLICATIONS: 


Handbooks 

Military 


MIL-HOBK-50 
Notice  1 
MIL-HD8K-2 17D 
Notice  1 

Other  Gouernment  Handbooks 


Metallic  Materials  and  Elements  for 
Aerospace  Vehicle  Structures 


Reliability  Prediction  of 
Electronic  Equipment 


OOD-HDBK-263  Electrostatic  Discharge  Control 
Handbook  for  Protection  of 
Electrical  and  Electronic  Parts , 
Assemblies  and  Equipment 


Other  Gouernment  Documents 


AfWL-TR-76-14.7  Nuclear  Hardness  Assurance  Guide¬ 
lines  for  systems  with  Moderate 
Requirements 


DI-E-7028A 

DI-E-703 IT 

DOO-5000 . 39 

ESD-TR-83-197 

NACSIM  5100A 

NACSIM  5203 

RADC-TR-75-22 


Nonstandard  Part  Approval 
Requests/Proposed  Additions  to  an 
Approved  Program  Parts  Selection 
List 

Drawings,  Engineering  and 
Associated  Lists 

Acquisition  and  Management 
Integrated  Logistics  Support  for 
Systems  and  Equipment 

Derated  application  of  Parts  for 
ESD  Systems  Development 

Compromising  Emanations  Laboratory 
Test  Standard  Electromagnetics 
(Secret) 

Red  &  Black  Engineering  and 
Installation  Criterions 

Reliability  Notebook 


1  jun  19o3 

1  Jun  193‘1 
15  Jan  198-2 
13  Jun  1983 

2  May  1930 


Sep  1976 


4  Mar  1981 


17  Jan  1930 

Sep  1983 

1  Jul  1931 

30  Jun  1932 

Jan  1975 


Figure  2.  Referenced  specifications  no.  645A094  (continued). 
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2.2  Non— Gouernment  Documents .  The  following  documents  of  the  exact 
issue  shown  form  a  part  of  this  specification  to  the  extent 
specified  herein.  In  the  euent  of  conflict  between  the  documents 
referenced  herein  and  the  contents  of  this  specification,  the 
contents  of  this  specification  shall  be  considered  a  superseding 
requirement. 


S  ?  E  ClrlCariONS 


4.3999  GS  2569fl03A 


4.3999  GS  2569A04.a 


Appendices 
4.3999  GS  2569A05B 


Long  Range  Combat  Aircraft 
Uibration,  Acoustic  Noise 
Shock,  and  Acceleration 
Criteria 

Long  Range  Combat  Aircraft, 
General’ Specif ication  for 
Suruiu ability /Vulnerability 
(Secret) 


Long  Range  Combat  Aircraft 
Thermodynamic  Environment 


23  Ncu  1931 


20  Dec  1982 


25  jun  198- 


24.  Feb  1983 


3 . 0  REOUIREYENTS. 

3.1  ITEM  OEfINITION.  The  MRT  Output  Device  (Printer)  provides 
hard  copy  read-out  capability  for  the  serial  data  inputs  from 
the  MRT  receiver.  The  printer  shall  receive  aircraft  power 
ciirectly  and  appropriate  input  signals  from  the  MRT  receiver, 
buffer  and  decode  those  signals  as  necessary,  and  generate  a 
high  quality,  high  durability  hard  copy  output  using  nonimpact 
direct  imaging  techniques.  The  printer  shall  use  a  nonmoving 
thermal  or  electrosensitive  printhead. 


Figure  2.  Referenced  specifications  no.  645A094  (concluded). 


be  taken  lightly.  Not  only  are  many  of  them  written  in  precise,  legally- 
enforceable  form,  but  there  are  specialists  in  these  fields  working  for  the 


Government  and  for  prime  contractors  who  understand  what's  said  in  them  very 
well . 

Having  made  a  case  for  taking  the  Applicable  Documents  seriously, 
let  us  now  review  the  nature  of  some  of  them.  It's  particularly  instructive 
to  study  the  subset  dealing  with  Reliability.  Their  list  is  repeated  in 
Figure  3.  We  will  now  consider  each  of  these  five  documents. 


MIL-STD-785B 

Reliablity  Program  for  Systems 
Equipment  Development  A  Production 

15  Sep  1980 

MIL-STD-756B 

Reliability  Modeling  and  Predictions 

18  Nov  1981 

Notice  1 

31  Aug  1982 

MIL-HDBK-217D 

Reliability  Prediction  of  Electronic 
Equipment 

15  Jan  1982 

Notice  1 

13  June  1983 

RADC-TR-75-22 

Nonelectronic  Reliability  Notebook 

Jan  1975 

ESD-TR-83-197 

Derated  Application  of  Parts  for  ESD 
Systems  Development 

Sep  1983 

Figure  3.  Reliability  references. 

MIL-STD-785B,  Reliability  Program  for  Systems  Equipment  Develop* 
ment  A  Production,  is  a  management  document.  It  spells  out  what  steps  need 
to  be  taken  to  plan  and  execute  an  acceptable  reliability  program.  The 
Table  of  Contents  is  reproduced  in  Figure  4.  The  first  six  pages  are  gene¬ 
ral  in  nature,  including  Definitions  and  some  more  Referenced  Documents  (see 
Figure  5).  The  meat  of  the  documents  is  in  the  Task  descriptions.  Each 
Task  is  required  to  be  executed  by  the  contract,  and  many  of  them  call  out 
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RELIABILITY  PR0CRA“  FOR  SYSTEMS  AND  EQUIPMENT 
DEVELOPMENT  AND  PRODUCTION 


1.  SCOPE 


1,1  PuroQge ■  This  standard  provides  general  requirements  and  specific  taslYs 
for  reliability  programs  during  the  development,  production,  and  initial 
deployment  of  systems  and  equipment. 


1.2.1  APFlleatlon  of  standard.  Tasks  described  in  this  standard  are  to  be 
selectively  applied  in  DOD  contract-definitized  procurements,  request  for 
proposals,  statements  of  work,  and  Government  in-house  developments  reoulrlng 
reliabilitv  programs  for  the  development,  production,  and  initial  deployment 
of  systems  and  equipment.  The  word  "contractor"  herein  also  Includes 
Government  activities  developina  military  systems  and  equipment. 

1.2.2  Tailoring  of  task  descrtetions .  Task  descriptions  are  intended  to  be 
tailored  as  required  by  governing  regulations  and  as  appropriate  to  particular 
systems  or  equipment  program  type,  magnitude,  and  funding.  When  preparing  his 
proposal,  the  contractor  mav  include  additional  tasks  or  task  modifications 
with  supporting  rationale  for  each  addition  or  modification. 

1.2.2. 1  The  "Details  To  Be  Specified"  paragraph  under  each  task  description  is 
intended  for  listing  the  specific  details,  additions,  modifications,  deletions, 
or  options  to  the  requirements  of  the  task  that  should  be  considered  bv  the 
procuring  activity  when  tailoring  the  task  description  to  fit  program  needs, 
"Details"  annotated  bv  an  "(R)"  are  essential  and  shall  be  provided  the 
contractor  for  proper  implementation  of  the  task. 

1.2.3  Application  guidance.  Application  guidance  and  rationale  for  selecting 
tasks  to  fit  the  needs  of  a  particular  reliability  program  is  Included  in 
appendix  A;  this  appendix  is  not  contractual. 

1.3  Method  of  reference.  When  specifying  the  task  descriptions  of  this 
standard  as  requirements,  both  the  standard  and  the  specific  task  description 
nusberCs)  are  to  be  cited.  Applicable  "Details  To  Be  Specified"  shall  be 
Included  in  the  statement  of  work. 

2.  REFERENCED  DOCUMENTS 

2.1  Government  documents.  The  following  documents,  of  the  issue  in  effect  on 
date  of  invitation  for  bids  or  request  for  proposal,  form  a  part  of  this 
standard  to  the  extent  specified  herein: 

STANDARDS 

MILITARY 

MIL-STD-105  Sampling  Procedures  and  Tables  for  Inspection  by  Attributes 

MIL-STD-721  Definitions  of  Terms  For  Reliability  and  Maintainability 

MlL-STD-781  Reliability  Design  Qualification  and  Production  Acceptance 

Tests:  Exponential  Distribution 
MIL-STD-965  Parts  Control  Program 
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PUBLICATIONS 

MILITARY  HANDBOOK 

MIL-HDBK-217 


Reliability  Prediction  of  Electronic  Eoulpiaent 


(Copies  of  specifications,  standards,  drawinijs,  and  oublications  reouired  bv 
contractors  in  connection  with  specific  procurement  functions  should  be 
obtained  from  the  procurlnr^  activity  or  as  directed  by  the  contractimt 
officer.) 

3.  TERMS,  DEFINITIONS,  AND  ACRONYMS 

3.1  Terms .  The  terms  used  herein  are  defined  in  MIL-STD-721. 

3.2  Definitions.  Definitions  applicable  to  this  standard  are  as  follows: 

a.  Tailoring;  The  process  by  which  the  individual  requirements 
(sections,  paragraphs,  or  sentences)  of  the  selected  specifications  and 
standards  are  evaluated  to  determine  the  extent  to  which  each  requirement  is 
most  suitable  for  a  specific  materiel  acquisition  and  the  modification  of  these 
requirements,  where  necessary,  to  assure  that  each  tailored  document  invoked 
states  only  the  minimum  needs  of  the  Government.  Tailoring  is  not  a  license  to 
specify  a  zero  reliability  program,  and  must  conform  to  provisions  of  existing 
regulations  governing  reliability  programs. 


(1)  Conceptual  (CONCEPT)  phase;  The  identification  and  exploration 
of  alternative  solutions  or  solution  concepts  to  satisfy  a  validated  need. 

(2)  Deaonatration  and  validation  (VALID)  phase:  The  period  when 
selected  candidate  solutions  are  refined  through  extensive  study  and  analyses; 
hardware  development,  if  appropriate;  test;  and  evaluations. 

(3)  Full-scale  engineering  development  (FSED).  Phasfci.  The  period 
when  the  system  and  the  principal  items  necessary  for  its  support  are  designed, 
fabricated,  tested  and  evaluated. 

(U)  Production  (PR0C1  phase:  The  period  from  production  approval 
until  the  last  system  is  delivered  and  accepted. 

c.  Reliability  accounting;  That  set  of  mathematical  tasks  which 
establish  and  allocate  quantitative  reliability  requirements,  and  predict  and 
measure  quantitative  reliablity  achievements. 

d.  Reliability  engineering:  That  set  of  design,  development,  and 
manufacturing  tasks  by  which  reliability  is  achieved. 

e.  Basie  reliability:  The  duration  or  probability  of  failure-free 
performance  under  stated  conditions.  Basic  reliabilltv  terms,  such  as 
Mean-Tlme-Between  Failures  (MTBF)  or  Mean-Cycles-Between-Fallures  (MCBF)  ,  shall 
Include  all  item  life  units  (not  Just  mission  time)  and  all  failures  within  the 
items  (net  Just  mission-critical  failures  at  the  item  level  of  assembly). 

Basic  reliability  requirements  shall  be  capable  of  describing  item  demand  for 
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maintenance  manpower  (e.?.,  Mean-Time-Between-Maintenance  Actlonatf'THMA ) ) .  The 
other  system  rellaOility  oarameters  shall  employ  clearly  defined  subsets  of  all 
Item  life  units  and  all  failures. 

f.  ><is3lon  reliability:  The  ability  of  an  Iten  to  perform  its  reoulre^ 
functions  for  the  duration  of  a  specified  mission  profile. 

«•  Life  unit*:  A  measure  of  use  duration  applicable  to  the  item  (e.e., 
operating  hours,  cycles,  distance,  rounds  fired,  attempts  to  operate). 

h.  Er.vironaer.tal  stress  screening  (EgSI.  A  series  of  tests  conducted 
under  environmental  stresses  to  disclose  weak  parts  and  workmanship  defects  for 
correction . 

I.  Bellabilltv  develosmert/erowth  test  (BDCT):  A  series  of  tests 
conducted  to  disclose  deficiencies  and  to  verify  that  corrective  actions  will 
prevent  recurrence  in  the  operational  inventory.  (Also  known  as  "TAAF" 
testing. ) 

J.  Pellabilltv  Qualification  test  (80T):  A  test  conducted  under  specified 
conditions,  bv ,  or  on  behalf  of,  the  government,  using  items  representative  of 
the  approved  production  confiauration,  to  determine  compliance  with  specified 
reliability  requirements  as  a  basis  for  production  approval.  (Also  known  as  a 
"Rellablity  Demonstration",  or  "Desien  Approval",  test.) 

k.  Production  reliability  acceptance  test  (PPA.T):  A  test  conducted  under 
specified  conditions,  by,  or  on  behalf  of,  the  eovernment,  using  delivered  or 
deliverable  production  items,  to  determine  the  producer's  compliance  with 
specified  reliability  requirements. 


3.3  Acronyms .  Acronyms  used  in  this  document  are  defined  as  follows: 


CD? 

CDRL 

CFE 

DID 

ESS 

FMECA 

FRACAS 

FPB 

FSED 

CFE 

CIDEP 

CPR 

LSAP 

LSAP 

MC5F 

MCS? 

MTBCF 

MTBDE 

MTSF 

MT3MA 

KTHR 

PA 


Critical  Design  Review 
Contract  Data  Recuirements  List 
Contractor  Furnished  Equipment 
Data  Item  Descriotlon( s) 

Environmental  Stess  Screening 

Failure  Modes,  Effects,  and  Criticality  Analvsis(es) 
Failure  Reporting,  Analysis(es)  ,  and  Corrective  Action 
Systems 

Failure  Review  Board 
Full  Scale  Engineering  Development 
Government  Furnished  Equipment 
Government/Industry  Data  Exchange  Program 
Government  Plant  Reore3entative( s) 

Logistic  Support  Analysis  Program 
Logistic  Support  Analysis  Records 
Mean-Cvcles-Be tween-Failures 
Mission  Completion  Success  Probability 
Misslcn-Tlme-Between-Crltical  Failures 
Mean-Time-Between-Downing  Events 
M e an -Tioe-Be tween-Failures 
Mean-Tloe-Eetween-Maintenance  Actions 
Mean-Tioe-Be tween-Reraovals 

Procuring  Activity  (including  Program/Project  Offices) 
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PCB 

PDR 

PPSL 

PRAT 

PRST 

RDCT 

RFP 

ROT 

SCA 

SOW 

TAAF 


Parts  Control  Board 
PrcllJBlnary  Design  Review 
Prograa  Parts  Selection  List 
Production  Reliability  Acceptance  Teat 
Probability  Ratio  Seduential  Test 
Reliability  Developaent/Crowth  Teat 
Request  For  Proposal 
Reliability  Qualiricatioo  Test 
Sneak  Circuit  Analyais(es) 

Sbateaent  Of  Work 
Test,  Analyze,  and  Fix 


A.  GENERAL  REQUIREMENTS 


A.1  Reliability  oroaraa.  The  contractor  shall  establish  and  aaintaln  an 
efficient  reliability  prograa  to  support  econoaioal  achleveaent  of  overall 
prograa  objectives.  To  be  considered  efficient,  a  reliability  prograa  shall 
clearly:  (1)  laprove  operational  readiness  and  alsslon  success  of  the  aajor 
end-ltea;  (2)  reduce  Itea  deaand  for  oalntenance  aanpower  and  logistic  support; 
(3)  provide  essential  oanageaent  Infomatlon;  and  (A)  hold  down  Its  own  Impact 
on  overall  prograa  coat  and  schedule. 


A. 2  Proeraa  reoulrenents.  Each  reliability  prograa  shall  Include  an 
appropriate  ■!«  of  reliability  engineering  and  accounting  tasks  depending  on 
the  life  cycle  phase.  These  tasks  shall  be  selected  and  tailored  according  to 
the  type  of  itea  (systea,  aubayatea  or  equlpoent)  and  for  each  applicable  phase 
of  the  acquisition  (CONCEPT,  VALID,  FSED,  and  PROD).  They  shall  be  planned, 
Integrated  and  accomplished  In  conjunction  with  other  design,  developaent  and 
oanufacturlng  functions.  The  overall  acquisition  prograa  shall  Include  the 
resources,  schedule,  aanageoent  structure,  and  controls  necessary  to  ensure 
that  specified  reliability  prograa  tasks  are  satisfactorily  accomplished. 

A. 2.1  Reliability  enelneerlne.  Tasks  shall  focus  on  the  prevention, 
detection,  and  correction  of  reliability  design  deficiencies,  weak  parts,  and 
workaanship  defects.  Reliability  engineering  shall  be  an  Integral  part  of  the 
Itea  design  process,  including  design  changes.  The  means  by  which  reliability 
engineering  contributes  to  the  design,  and  the  level  of  authority  and 
constraints  on  this  engineering  discipline,  shall  be  identified  in  the 
reliability  prograa  plan.  An  efficient  reliability  program  shall  st.-ess  early 
Investoent  in  reliability  engineering  tasks  to  avoid  subsequent  costs  and 
schedule  delays. 


A. 2. 2  Rellablltv  accounting.  Tasks  shall  focus  on  the  provision  of 
inforaation  essential  to  acquisition,  operation,  and  support  management. 
Including  properly  defined  inputs  for  estlaates  of  operational  effectiveness 
and  ownership  cost.  An  efficient  reliability  prograa  shall  provide  this 
Information  while  ensuring  that  cost  and  schedule  Investaent  In  efforts  to 
obtain  oanageaent  data  (such  as  demonstrations,  qualification  tests,  and 
acceptance  tests)  is  clearly  visible  and  carefully  controlled. 

A. 3  Reliability  program  interfaces.  The  contractor  shall  utilize  reliability 
data  and  information  resulting  froa  applicable  tasks  In  the  reliability  program 
to  satisfy  LSAP  requirements.  All  reliability  data  and  information  used  and 
provided  shall  be  based  upon,  and  traceable  to,  the  outputs  of  the  reliability 
prograa  for  all  logistic  support  and  engineering  activities  involved  in  all 
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phases  of  the  system/subsystem/equipment  acoulsitlon. 

!*.•<  Quantitative  rebuirer.ents .  The  systei)/ subsystem/ equipment  reliability 
requirements  shall  be  specified  contractually.  Quantitative  reliability 
requirements  for  the  system,  all  major  subsystems,  and  equioments  shall  be 
included  in  appropriate  sections  of  the  system  and  end  item  specifications. 

The  sub-tier  values  not  established  by  the  orocurin^  activity  shall  be 
established  by  the  system  or  equioment  contractor  at  a  contractually  specified 
control  point  prior  to  detail  deslen. 

n.^.l  Categories  of  Quantitative  reoulrements .  There  are  three  different 
categories  of  quantitative  reliability  requirements:  (1)  operational 
requirements  for  aoplicable  system  reliability  parameters;  (2)  basic 
reliability  requirements  for  item  design  and  quality;  and  (3)  statistical 
confidence/decision  risk  criteria  for  soeclflc  reliabilltv  tests.  These 
categories  must  be  carefully  delineated,  and  related  to  each  other  bv  clearly 
defined  audit  trails,  to  establish  clear  lines  of  responsibility  and 
accountabilitv  . 

*^.*^.2  System  reliability  parameters.  System  reliability  parameters  shall  be 
defined  in  units  of  measurement  directly  related  to  operational  readiness, 
mission  success,  demand  for  maintenance  oanoower,  and  demand  for  logistic 
suoport,  as  apclioable  to  the  tyoe  of  system.  Ooeratlonal  requirements  for 
eaor.  of  these  parameters  shall  include  the  combined  effects  of  item  design, 
ouality,  operation,  maintenance  and  repair  in  the  operational  environment. 
Examples  cf  syne"  reliatilitv  parameters  include;  readiness, 
year.-Time-eetween-Cowmine  Ivents  (yTBEE);  mission  success, 
^^isslon-Time-setween-Critloal  Failures  (KTBCF);  maintenance  demand, 
Kear.-Time-retweer.-yaintenance  Actions  (HTfiKA);  and  logistics  demand, 
.yean-Time-retween-r.emovals  (yCrr). 

“.‘•.3  Statistical  criteria .  Statistical  criteria  for  reliabilltv 
demonstrations,  fieliatility  Qualification  Tests  (RQT),  and  Production 
Reliability  Acceptance  Tests  (PRAT)  shall  be  carefully  tailored  to  avoid 
crivinj  cost  or  sonedule  without  improving  reliability.  Such  criteria  include 
soecified  confidence  levels  or  decision  risks,  "Upper  Test  MTBF,"  "Lower  Test 
MTftF,"  etc.,  as  embodied  in  statistical  test  plans.  They  shall  be  clearlv 
seoarated  frcm  soecified  values  and  cinlmu*  acceotable  values  to  orevent  test 
criteria  from  dri'  .r.g  item  design.  They  shall  be  selected  and  tailored 
according  to  the  degree  that  confidence  intervals  are  reduced  by  each 
additional  increment  of  total  test  time. 

Ai .  .  3  .  '  Electronic  epuiaaent  .  For  electronic  ecuioment,  the  "Lower  Test  “TBF" 
shall  be  set  equal  tc  the  mininum  accectable  MT5F  for  the  item.  Conformance  t 
the  minimum  acceptable  MTB"  requirements  shall  be  demonstrated  by  tests 
selected  from  M1L-5TQ-7S1,  or  alternative  specified  by  the  PA. 

‘<.‘<.3.2  Munitions  ard  mechanical  ecuinmert.  For  munitions  and  aechanclal 
equipment,  a  giver,  lower  confidence  limit  snail  be  set  eoual  to  the  minium 
acceptable  reliability  for  the  item.  An  adequate  number  bf  sannles  shall  be 
selected  per  M1L-STD-1C5,  or  by  other  valid  means  aooroved  bv  the  PA,  and 
tested  for  conformance  to  reliability  requirements  as  specified  by  the  PA. 


Figure  5.  Excerpt  from  MIL-STD-785B  (continued). 
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MII,-STD-785B 
15  September  19BO 

5.  TASK  DESCRIPTIONS 

5.1  The  teak  descriptions  following  sr#  divided  into  three  eenersl  sections 
Section  100,  Pro^rsa  Survelllsnee  and  Control;  Section  200,  Design  and 
Evaluation;  and  Section  300,  Oevelopaent  and  Production  Testina. 


Preoarlng  Activity: 
Air  Force  -  1 1 

Project  RELI-0008 

Review  Activities: 

Aray  -  AB,  AV,  AT,  ME,  MI,  SC,  TE 
Navy  -  EC,  OS,  SA,  SH,  TD,  TD,  MC,  CC 
Air  Force  -  10,  13,  17,  18,  19,  26,  95 


Custodians : 

Aray  -  CR 
Navy  -  AS 
Air  Force  -  11 


Figure  5.  Excerpt  from  MIL-STD-785B  (concluded). 
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details  to  be  specified  by  the  Procuring  Activity.  Some  of  the  tasks  are  of 
a  management  type;  e.g.  Task  101  requires  the  contractor  to  prepare  a  Relia¬ 
bility  Program  Plan.  Upon  approval  by  the  Procuring  Activity,  executing 
this  plan  becomes  a  part  of  the  contractual  requirement.  Tasks  102  through 
105  are  other  Management  tasks:  they  require  the  contractor  to  establish 
procedures  to  monitor/control  subcontractors  and  suppliers;  conduct  reliabi¬ 
lity  program  reviews;  implement  and  acceptable  failure  reporting,  analysis, 
and  corrective  action  system;  and  to  establish  a  Failure  Review  Board.  An 
example  of  a  technical  task  is  Task  201  Reliability  Modeling.  This  calls 
upon  the  contractor  to  develop  and  implement  a  reliability  model,  using 
accepted  procedures  and  assumptions,  from  which  the  expected  reliability  of 
the  item  during  service  (inactive  and  during  mission  execution)  is  calcu¬ 
lated.  The  model  is  implemented  by  a  top-down  allocation  of  the  failure 
budget  according  to  Task  202  and  a  bottom  up  synthesis  of  system  reliability 
from  component  data  according  to  Task  203.  Other  technical  tasks  follow, 
including  Task  208,  identification  of  reliability  critical  items.  The  out¬ 
put  of  that  task  feeds  directly  into  downstream  quality  assurance,  mainte¬ 
nance  and  surveillance  tasks. 

Tasks  301  and  following  define  the  development  and  production 
tests  that  are  required  to  validate  the  reliability  model  predictions  and  to 
control  the  quality  of  the  rel iabil ity-cri tical  items. 

The  extensive  Appendix  provides  a  brief,  useful  summary  of  the 
previously  defined  tasks,  and  how  they  apply  to  different  phases  of  system 
procurement,  and  then  proceeds  into  an  extensive  discussion  of  the  tasks. 
This  discussion  is  not  a  part  of  the  legalistic  definition  of  the  tasks,  but 
is  designed  to  aid  the  engineer  in  interpreting  the  tasks.  It  includes  the 
rationale  for  many  of  the  requirements  that  have  been  imposed  by  the  tasks. 
If  one  reads  the  task  description  only,  some  of  them  may  appear  clear  but 
arbitrary.  The  Appendix  serves  to  inform  the  readers  of  the  reasoning 
behind  them.  It's  important  to  note  this  distinction:  the  task  description 


presents  a  brief  recipe  for  what  is  to  be  done,  without  recourse  to  justifi¬ 
cation.  The  justification,  and  presumably  the  basis  for  any  argument  in 
favor  of  a  waiver  of  one  of  these  requirements,  is  found  in  the  Appendix. 
The  engineer  does  not  have  to  study  the  Appendix;  if  he  chooses  he  can  sim¬ 
ply  obey  the  recipes  and  comply  with  the  requirement.  But  if  he  wishes  to 
dig  deeper  he  can  do  so  in  an  easily  available  document.  If  he  wishes  to 
dig  even  deeper  he  can  consult  the  References  given  in  the  Appendix. 

Overall,  this  document  is  still  basically  a  management  document. 
It  tells  what  tasks  are  to  be  conducted,  and  what  factors  must  be  included 
in  performing  those  tasks,  but  it  does  not  provide  specific  rules  or  formu¬ 
las  for  carrying  out  the  technical  efforts.  Such  rules  are  found  in  the 
next  document  in  our  sequence,  MIL-ST0-756B,  Reliability  Modeling  and  Pre¬ 
diction.  The  Table  of  Contents  is  reproduced  in  Figure  6.  Again  there  is 
an  introductory  section,  followed  by  more  specific  task  descriptions.  Fig¬ 
ure  7  illustrates  the  level  of  detail  in  the  tasks.  At  this  point  there  are 
still  no  numbers,  but  the  rules  for  manipulating  the  numbers  are  presented. 
These  may  seem  somewhat  obvious,  and  many  of  the  rules  are  trivial  to  some¬ 
one  sophisticated  in  statistical  analysis.  But  they  are  written  down  in  an 
unambiguous  way,  so  that  compliance  will  not  depend  on  the  sophistication  of 
the  engineer  doing  the  work. 

The  next  document,  MIL-HDBK-217D,  Reliability  Prediction  of  Elec¬ 
tronic  Equipment,  presents  numbers,  thousands  of  them.  Figure  8  illustrates 
just  one  page  out  of  hundreds.  This  is  an  example  of  certified  data.  The 
Government  has  sifted  through  the  data  base  (presumably  using  some  contrac¬ 
tor  help)  and  decided  that  a  reasonable  and  conservative  prediction  of  reli¬ 
ability  for  transistors  operating  in  a  variety  of  Environments  (GB,  etc.) 
can  be  derived  by  multiplying  together  the  indicated  and  specified  factors. 
As  long  as  a  contractor  can  find  the  applicable  number,  and  he  is  prepared 
to  live  with  the  conclusion,  he  cannot  be  contractually  faulted.  If  he 
wishes  to  demonstrate  that  his  transistor  has  better  reliability  than 
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These  environmental  considerations  are  handled  as  follows  in 
Mission  Reliability  models. 


1.  For  items  having  more  than  one  end  use,  each  with  a 
different  environment,  the  Mission  Reliability  model 
would  be  the  same  for  all  environments  except  chat 
the  failure  races  for  Che  various  equipments  of  the 
item  would  be  different  for  the  various  environments. 

2.  For  items  having  several  phases  of  operation,  separate 
Mission  Reliability  models  can  be  generated  and 
predictions  made  for  each  phase  of  operation.  The 
results  can  then  be  combined  into  an  overall  item  moael 
and  item  prediction. 

2 •  3  How  To  Construct  a  Mission  Reliability  Model 

2-3.1  Fundamental  rules  for  probability  computations.  This  section 
discusses  the  fundamental  rules  for  probability  computations  chat  provide 
Che  basis  for  the  derivation  of  the  probability  of  survival  (P^) 
equations  developed  in  Method  1001. 

2-3. 1.1  The  addition  rule  (exclusive  case) .  If  A  and  B  are  two  mutually 
exclusive  events,  i.e.,  occurrence  of  either  event  excludes  the  ocher, 
the  probability  of  either  of  them  happening  is  Che  sum  of  their  respective 
probabilities: 

P(A  or  B)  -  P(A  -t-  B)  -  P(A)  +  P{B)  (1) 

This  rule  can  apply  to  any  number  of  mutually  exclusive  events: 

P(A  +  B...-t-  N)  -  P(A)  +  P(B).,.+  P(N)  (2) 

2-3. 1.2  The  addition  rule  (non-exclusive  case).  If  A  and  B  are  two 
events  not  mutually  exclusive,  i.e.,  either  or  both  can  occur,  the 
probability  of  at  least  one  of  them  occurring  is: 

P(A  or  B)  -  P(A  -F  B)  «  P(A)  +  P(B)  -  P(AB)  (3) 

The  equation  for  three  events  becomes: 

p:a  -h  B  +  C)  »  P(A)  -t-  P(B)  +  P(C) 

-  P(AB)  -  P(AC)  -  ?(BC)  (4) 

+  P(ABC) 

This  rule  can  be  extended  to  any  number  of  events. 


Figure  7.  Task  description  from  MIL-STD-756B , 
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'1IL-HnRK-2l7D 
1 3  June  1 983 
DISCRETE  SEMICOriDUCTCRS 
CONVENTIONAL  TRANSISTORS 

5. I. 3.1.  Transistors,  Group  I 

specification 

MIL-S-19500 


j.rt  operating  failure  rate  model  (Xp): 


DESCRIPTION 

Si,  NPN 
Si,  PNP 
Oe,  PfIP 
Ge.  NPN 


X  =  X,  (n^  X  n.  X  X  IIo  X  n-_  x  n.)  Failures/10°  hours 
p  b  h  A  Q  R  52  C 

where  the  factors  are  shov/n  in  Tables  5. 1.3. 1-1  throuoh  10 

TABLE  5. 1.3. 1-1 

GROUP  I  TRANSISTORS 
ENVIRONMENTAL  MODE  FACTORS 


ENVIRONMENT 


ENVIRONMENT 

"e 

CO 

1 

‘^F 

5.8 

18 

12 

^SB 

9.8 

^'s 

9.8 

% 

21 

^'h 

19 

■'uu 

20 

27 

^C 

9.5 

^T 

15 

^IB 

35 

^A 

20 

^F 

40 

Supersedes  page  5. 1.3. 1-1  dated  15  Jan.  82 

5. 1.3. 1-1 


TABLE  5.1 .3.1-2 
^  FOR  GROUP  I  transistors 


application 


L i near 
Swi tch 

Si ,  low  noise, 
r.o. ,<iw. 


Figure  8.  Example  page  from  MIL-HDBK-271D. 
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deduced  from  these  tables,  he  can  do  so,  but  the  burden  of  proof  is  on  him: 
he  must  convince  the  Procuring  Activity  that  using  a  lower  failure  rate  is 
acceptable  by  presenting  appropriate  theoretical  and/or  experimental  evi¬ 
dence.  Claiming  that  the  requirement  must  be  waived  because  otherwise  he 
cannot  meet  his  other  contractual  requirements  on  time  is  not  an  acceptable 
justification.  If  this  situation  occurs,  he  is  in  danger  of  being  in 
default  of  his  contract,  and  financial  consequences  should  ensue.  We  are 
not  so  naive  as  to  argue  that  this  always  works  this  way;  but  at  least  the 
framework  is  there  to  enable  it  to  work.  Furthermore,  the  Procuring  Acti¬ 
vity  that  lets  a  contractor  off  this  hook  runs  the  risk  that  it  will  be  cri¬ 
ticized  when  consequences  become  apparent  to  other  parts  of  the  DoD. 

The  next  reference  in  this  sequence  is  RADC-TR-75-22,  Nonelectro¬ 
nic  Reliability  Notebook.  This  report  presents  hundreds  of  pages  of  tables 
of  reliability  values  and  confidence  limits  for  nonelectronic  devices  fre¬ 
quently  associated  with  electronic  systems  (e.g.  accelerometers,  actuators, 
batteries,  connectors,  meters,  motors,  relays,  switches,  transducers, 
valves).  There  are  also  sections  on  applicable  statistical  methods,  relia¬ 
bility  prediction  and  reliability  demonstration  tests.  It  is  a  complement 
for  nonelectronic  devices  to  MIL-HDBK-217D  data  for  electronic  devices. 

The  last  reference  in  sequence  is  a  document  prepared  by  the  Pro¬ 
curing  Activity  for  this  system,  ESD-TR-83-197,  Derated  Application  of  Parts 
for  ESD  Systems  Development.  It  requires  each  Program  Office  to  select  one 
of  three  Derating  Levels,  depending  on  the  nature  of  the  mission  (e.g. 
Spaceborne  equipments  must  be  Level  I).  It  then  spells  out  the  derating 
requirements  for  families  of  electronic  devices.  For  example,  ceramic  capa¬ 
citors  defined  by  MIL-C-39014  must  be  derated  by  50%  in  d.c.  voltage  and  by 
10“C  in  maximum  temperature  for  Level  I  applications.  MIL-HDBK-217D  allowed 
them  to  be  used  up  to  the  maximum  rated  voltages  and  temperatures,  but  with 
appropriate  steep  escalation  of  the  failure  rate,  as  illustrated  in  Fig¬ 
ure  9.  In  this  case  the  Procuring  Activity,  ESD,  has  chosen  to  impose  the 
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1  S.  .l*nii^rv  1 

CAPACITORS 
MIL-C-11015,  CK; 
MIL-C-39014,  CXR 

Table  5. 1.7. 4-4 

Capacitors,  Fixed,  Ceramic 

(General  Purpose)  Base  Failure  Races,  for  T-85*C  max  rated)* 
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oooz? 

.0014 

000'?  1 

.0014 

JO 

.0014 

.9024 

.0040 

0065 

0993 

.014 

.020 

.927 

45 

.  V  76 

ornA® 

.0015 

.0025 

.0041 

0066 

019 

.015 

.020 

.92? 

so 

.coorr 

000?6 

.0015 

.9025 

.0842 

0067 

010 

.015 

.021 

.923 

53 

. no ore 

00  O' 07 

.0015 

.9025 

.0042 

0967 

019 

.913 

.021 

.023 

50 

.oocr? 

000?  3 

.0015 

.0026 

.0043 

0968 

019 

.0  15 

.021 

.029 

65 

. oooso 

00  10 

.0015 

.0026 

.0043 

0063 

on 

.015 

.922 

.023 

ro 

0010 

.0016 

.0026 

.0044 

0070 

01  1 

.0  16 

.922 

.039 

rs 

. 00003 

00  10 

.0016 

.0827 

.0045 

0071 

0  1  1 

.016 

.  '?32 

.  030 

so 

.  O'- 003 

00  10 

.00  16 

.0027 

.0045 

.0072 

01  1 

.016 

.923 

.03  1 

S5 

.00005 

00  1  1 

.0016 

.0027 

.0046 

.0073 

01  1 

.'Die 

.023 

.  03  1 

■Applicable  to 

styles  OCR 

13,  48, 

64,  72 

of  MIL 

-C-39014. 

Applicable  to  ''A'.'  rated  temperature  of  MIL-C-11015  as  shown  in  type 
designation,  e.g.,  CX61AW222M. 

5. 1.7. 4-2 


Figure  9.  Example  of  deratina  levels  (copy  of  page 
from  MIL-HDBK-217D). 


extra  constraint  not  to  operate  the  devices  close  to  their  limits,  even  if 
the  overall  system  failure  budget  allowed  the  higher  failure  rate  imposed  by 
HDBK-217D. 

In  addition  to  these  explicit  reliability  documents,  reliability 
is  affected  by  parameters  incorporated  into  many  individual  device  specifi¬ 
cations.  In  the  example  above  there  was  a  MIL-S-39014  specification  for  a 
family  of  ceramic  capacitors.  This  specification  includes  a  number  of  con¬ 
straints  on  the  type  of  materials  and  construction  that  are  acceptable  in 
such  capacitors  for  military  use.  Some  of  these  constraints  were  probably 
incorporated  because  previous  experience  had  indicated  that  reliability 
could  be  compromised  otherwise. 

2.2.2  Other  Examples. 

We  have  used  Reliability  Management  as  an  example,  because  it  is 
particularly  appropriate  for  its  close  analogy  with  Hardness  Management. 
But  Reliability  is  not  unique.  Inspection  of  the  list  of  Specifications 
incorporated  into  our  sample  contract  reveals  a  similar  set  of  documents  for 
electromagnetic  compatibility  and  interference,  as  summarized  in  Figure  10, 
and  other  environmental  effects.  In  each  case,  there  are  documents  that: 

1.  Specify  management  procedures  to  be  implemented. 

2.  Provide  technical  rules  for  predicting  bounds  on  the  effects. 

3.  Provide  government-accepted  (i.e.  certified)  data  that  can  be 
used  in  the  predictions. 

4.  Impose  verification  tests  to  validate  the  predictions. 

5.  Provide  standards  to  define  acceptable  procedures  for 
carrying  out  the  analyses  and  tests. 
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6.  Incorporate  environmental  considerations,  where  needed,  in 
the  specifications  for  specific  items. 


MIL-E-6051D 

El ectromagneti c  Compati bi 1 i ty 

Requirements  System 

7  Sep 

1967 

Amendment  1 

5  Jul 

1968 

MIL-STD-461B 

Electromagnetic  Emission  and 

Susceptibility  Requirements  for  the 

Control  of  Electromagnetic  Interference 

1  Apr 

1980 

MIL-STD-462 

Electromagnetic  Interference 

Characteristics 

31  Jul 

1977 

Notice  4 

1  Apr 

1980 

MIL-B-5087B 

Bonding,  Electrical,  and  Lightning 

Protection  for  Aerospace  Systems 

31  Aug 

1970 

DOD-HDBK-263 

Electrostatic  Discharge  Control  Handbook 
for  Protection  of  Electrical  and  Electronic 
Parts,  Assemblies  and  Equipment 

2  May 

1980 

NACSIM  5100A 

Compromising  Emanations  Laboratory  Test 
Standard  Electromagnetics  (Secret) 

1  Jul 

1981 

Figure  10.  ECM  and  EMI  references. 


2.2.3 


Application  to  Hardness  Management. 


Clearly  the  current  situation  in  hardness  management  is  far  from 
the  level  of  documentation  available  to  Reliability  Management.  Returning 
to  the  Westinghouse  specification,  one  hardness  related  document  is  refer¬ 
enced:  AFWL-TR-76-147,  Nuclear  Hardness  Assurance  Guidelines  for  Systems 
with  Moderate  Requirements.  This  document  was  written  and  published  by  - 
Patrick  and  Ferry  in  1976  as  an  initial  and  major  step  in  translating  nuc¬ 
lear  effects  expertise  into  specific  recipes  for  systems  applications.  In 
particular,  it  established  two  classes  of  devices  ,  HCI-1  and  HCI-2,  depend¬ 
ing  on  the  margin  between  device  performance  under  nuclear  stress  and  the 
system  requirements.  The  intent  was  to  identify  the  low-margin  hardness- 
critical  devices  so  that  appropriate  quality  control,  hardness  maintenance 


and  hardness  surveillance  actions  could  prevent  a  degradation  that  would 
impair  system  hardness.  Specific  margins  were  suggested  for  different 
effects.  They  were  not  derived  by  any  formal  process  (e.g.  statistical  ana¬ 
lysis),  but  represented  the  authors'  best  judgements  on  the  compromise 
between  covering  the  expected  variations  and  imposing  too  severe  a  con¬ 
straint  on  the  designer. 

In  many  subsequent  applications,  including  our  Westinghouse  exam¬ 
ple,  the  HCI  categorization  suggested  by  Patrick  and  Ferry  has  been  extended 
by  adding  an  Uncategorized  designation.  In  effect,  if  the  margin  is  suffi¬ 
ciently  large  that  no  credible  variations  can  jeopardize  system  hardness  the 
part  need  not  be  included  in  any  subsequent  hardness  considerations.  This 
categorization  is  implemented  by  specifying  the  margins  for  each  effect,  as 
in  Figure  11  reproduced  from  the  Westinghouse  specification.  This  procedure 
is  not  unique  to  the  Westinghouse  specification;  similar  procedures  and  mar¬ 
gin  values  have  been  imposed  on  many  other  systems  programs. 

So  what's  wrong  with  that?  Clearly,  Patrick  and  Ferry  started  to 
do  what  we  recommend.  Their  procedures  were  influenced  strongly  by  analogy 
with  reliability  management  and  other  commonly  used  military  specifications. 
We  understand  that  they  did  not  intend  for  AFWL-TR-76-147  to  be  used  as  it 
has  been,  i.e.  incorporated  as  the  reference  for  hardness  categorization  and 
hardness  assurance.  They  intended  it  as  a  first  step  pointing  the  way  to 
such  documents.  It  is  regrettable  that  nine  years  later  it  is  still  the 
only  hardness  management  document  being  referenced  in  most  military  procure¬ 
ments.  We  understand  also  that  Ferry  has  prepared  a  draft  of  a  follow-on 
report,  and  we  look  forward  to  the  opportunity  to  study  it. 

So  what  is  specifically  wrong?  A  lot  of  specifics  need  improving 
and  many  more  types  of  documents  need  to  be  prepared.  Consider  first  the 
application  of  AFWL-TR-76-147  in  the  Westinghouse  specification,  and  parti¬ 
cularly  the  table  reproduced  in  Figure  11.  The  following  are  just  examples. 


TABLE  U  HARDNESS  CLASS 

_  _ Margin  Class 


ENVIRONMENT 

Gamma  Rata 
(Response  Magnitude) 

Gamma  Rate 
(Race  Timing) 

Gamma  Rate 
(Analog  Time  Ratio) 

Neutron  Fluence 

Total  Dose 

EMP 


Margin  calculation  accuracy  range  from  most  accurate  (L)  to 
engineering  judgment  (3). 

•uoltage  or  current  ratio 


DM 

^10 

10 

^  DM 

^  100 

DM-^ 

ICO 

DM 

5 

5 

DM 

50 

DM 

so 

DM 

10 

10 

DM 

100 

DM 

ICO 

DM 

10 

10 

DM 

100 

DM 

ICO 

DM 

5 

5 

10 

DM 

10 

DM 

<  10  dB* 

10 

dB  i:  DM 

<  30 

dB  DM  > 

30 

'figure  11.  Hardness  margin  class. 
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Compare  the  margin  break  points  for  neutron  fluence  and  total 
dose.  In  order  to  be  Uncategorized  (Margin  class  3)  the 
ratio  between  device  tolerance  and  system  specification  need 
only  be  a  factor  of  10  for  total  dose,  but  a  factor  of  100 
for  neutron  fluence.  This  implies  that  at  a  given  level  of 
risk  variations  in  device  response  for  neutron-induced  dis¬ 
placement  effects  will  be  significantly  larger  than  for 
gamma-induced  long-term  ionization  effects.  Data  clearly 
disagree.  The  parameters  that  control  neutron  response 
(e.g.  bipolar  device  base  width,  carrier  injection  level)  are 
much  more  closely  controlled  in  normal  device  manufacture 
than  those  that  determine  the  total-dose  susceptibility 
(e.g.  quality  of  the  oxide  and  the  temperature  history  during 
device  processing).  Therefore,  these  margins  should  be 
different,  probably  by  decreasing  the  neutron  margin  and 
increasing  the  total  dose  margin. 

The  margin  break  points  for  EMP  are  given  in  dB,  which  refers 
to  EMP  energy.  This  definition  would  be  unambiguous  if  we 
were  dealing  with  a  linear  system:  20  dB  corresponds  to  a 
factor  of  100  in  energy  and  a  factor  of  10  in  voltage  or  cur¬ 
rent  at  any  point  in  the  linear  system.  However,  not  only  is 
most  EMP  response  nonlinear  at  the  affected  device  (i.e.  the 
device  almost  always  becomes  nonlinear  before  it  is  damaged), 
but  most  hardened  systems  deliberately  introduce  nonlinear 
devices  (e.g.  voltage  limiters)  to  protect  the  system  from 
EMP.  In  this  case  the  result  is  considerably  different  if 
the  20  dB  margin  is  applied  to  the  incident  environment  or  to 
energy  deposited  in  the  affected  device.  Actually,  either 
approach  by  itself  can  produce  unreasonable  answers.  Consi¬ 
der  the  following  cases: 


A  voltage  limiter  clamps  the  voltage  applied  to  a  down¬ 
stream  transistor  to  10  V  when  excited  by  the  specified 
EMP  stress,  increasing  to  15  V  when  the  incident  field 
energy  is  increased  by  a  factor  of  1000.  The  transistor 
has  a  rated  reverse  junction  breakdown  voltage  of  20  V 
and  a  dc  power  rating  of  1  W.  During  the  specified  1  us 
EMP  pulse  it  dissipates  0.5  W,  and  the  pulse  damage  con¬ 
stant  for  the  device  corresponds  to  a  10  W,  1  ps  pulse 
for  the  threshold  of  damage.  Note  now  that  this  device 
operates  within  its  dc  rating  envelope  in  both  power  and 
voltage  as  long  as  the  voltage  limiter  does  its  job,  even 
if  the  applied  EMP  field  were  increased  by  a  factor  of 
30  dB.  Common  sense  would  say  that  it  should  be  Uncate¬ 
gorized.  However,  if  the  margin  is  applied  to  the  energy 
dissipated  in  the  device,  instead  of  the  external  field, 
it  would  have  to  be  assigned  to  HCI-2,  because  the  power 
dissipated  in  the  device  during  the  pulse  is  less  than 
1000  times  the  damage  threshold  for  the  same  pulse 
length.  If  this  device  dissipated  only  0.1  W  of  power  in 
normal  operation,  which  is  certainly  reasonable  for  a  1  W 
transistor,  it  would  be  categorized  HCI-2  even  for  a  zero 
EMP  induced  stress!  This  argument  would  lead  us  to 
applying  the  margin  to  the  external  field  rather  than  to 
the  energy  deposited  in  the  device. 

Now  modify  the  foregoing  example  by  changing  the  device 
breakdown  voltage  to  9  V  and  making  the  energy  delivered 
to  the  device  by  a  10  V  pulse  passed  by  the  voltage  limi¬ 
ter  equal  to  50%  of  the  damage  threshold.  If  the  margin 
is  applied  to  the  external  field  the  device  is  Uncatego¬ 
rized:  the  energy  delivered  to  it  is  less  than  the 
expected  damage  threshold  even  when  the  incident  field 


energy  Is  Increased  by  30  dB.  But  consider  what  is  hap¬ 
pening  to  the  device.  It  can  undergo  avalanche  break¬ 
down,  even  at  the  specified  field  without  margin,  and  the 
energy  delivered  to  it  is  within  a  factor  of  two  of  the 
estimated  damage  threshold.  There  exist  many  data  to 
demonstrate  that  the  damage  threshold  is  distributed  very 
widely:  the  standard  deviation  in  a  log  normal  fit  to 
the  distribution  is  usually  greater  than  a  factor  of  two. 
Thus  a  device  that  undergoes  breakdown  and  is  within  a 
factor  of  two  of  its  failure  energy  deserves  a  lot  of 
attention,  probably  circuit  redesign.  This  illustrates 
that  there  are  situations  in  which  at  least  part  of  the 
margin  must  be  applied  to  the  energy  deposited  in  the 
device,  especially  when  the  device  is  driven  into  an 
abnormal  state  (e.g.  breakdown). 


Me  recently  encountered  exactly  this  situation  on  a  subcontract  to 
perform  hardness  validation  analysis  for  individual  modules  of  an  Air  Force 
system.  Since  the  referenced  specifications  were  ambiguous,  as  illustrated 
above,  we  offered  an  unambiguous  definition,  specifically: 


The  first  10  dB  is  applied  to  the  environment.  If  the 
expected  device  failure  level  is  above  the  specification  but 
below  the  10  dB  margin  it  falls  into  category  HCI-1.  If, 
however,  the  device  is  still  within  its  commercial  or  MIL- 
SPEC  ratings  with  the  10  dB  margin,  it  is  Uncategorized. 


If  the  device  is  driven  into  an  abnormal  state  at  the  10  dB 
level,  the  energy  deposited  in  it  during  the  excitation  is 
compared  to  the  damage  threshold.  If  there  is  at  least  a 
20  dB  margin,  then  the  device  is  Uncategorized.  Otherwise, 
it  is  assigned  to  HCI-2. 
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This  reconmendation  recognizes  that  the  largest  uncertainty  is  needed  to 
cover  the  variation  in  damage  thresholds  for  devices  driven  into  breakdown. 
Such  a  margin  is  not  needed  if  the  device  is  stressed  within  its  rated  enve* 
lope,  because  it  is  designed  and  constructed  to  operated  within  that  enve* 
lope  with  high  confidence. 

This  discussion  is  intended  to  demonstrate  that  the  first  steps 
toward  implementing  our  recommendations  have  been  taken,  but  that  the 
results  are  far  from  complete  and  the  rate  of  progress  in  recent  years  has 
been  far  below  optimal.  The  steps  that  have  been  taken  are  good  analogies 
to  Reliability  and  other  -ilities.  Acceptance  from  the  system  development 
community  has  been  excellent.  Consider  the  fact  that  AFWL*TR-76*147  is  cur¬ 
rently  being  cited  in  many  contracts,  even  though  it  has  not  been  through 
the  MIL-STD  review  and  publication  process.  System  personnel  would  much 
rather  cite  a  reference,  especially  one  that  has  the  approval  of  the  appro¬ 
priate  expert  community,  compared  to  having  to  generate  their  own  recipe  for 
dealing  with  a  problem  that  they  don't  really  understand. 

2.3  TYPES  OF  DOCUMEMTS. 

2.3.1  General. 

At  present  there  are  three  principal  documents  associated  with  Hard¬ 
ness  Management  that  apply  to  most  major  system  development  programs: 

1.  DoDI  4245.4  demands  that  the  responsible  Service  consider 
nuclear  survivability  requirements  for  oach  proposed  new 
system,  and  that  an  appropriate  combination  of  means  be 
incorporated  into  the  system  specifications  to  meet  those 
requirements.  One  of  the  means  of  promoting  survivability  is 
nuclear  hardness;  others  include  deception,  mobility,  hiding. 
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etc.,  which  impose  different  characteristics  on  the  system. 
In  this  report  we  will  deal  only  with  the  hardness  issues. 
The  DoDI  also  defines  survivability  (including  hardness) 
inputs  to  the  various  program  milestones,  and  the  incorpora¬ 
tion  of  nuclear  survivability  inputs  to  the  DSCARC  review 
process. 

2.  Each  Service  has  published  a  procedure  by  which  the  specific 
nuclear  survivability  requirements  for  each  system,  major  and 
non-major  in  the  DoD  sense,  will  be  established.  For  the 
Army  this  is  published  in  AR-70-60,  Army  Nuclear  Survivabi¬ 
lity.  This  document,  as  well  as  its  Air  Force  and  Navy  coun¬ 
terparts,  establishes  a  General  Officer  committee,  the 
Nuclear  Survivability  Committee  (NSC),  with  the  authority  to 
specify  the  survivability  requirements.  Actually,  the  com¬ 
mittee  meets  rarely,  but  they  motivate  a  secretariat,  the 
Nuclear  Survivability  Committee  Secretariat  (NSCS)  to  perform 
the  necessary  studies,  analyses  and  tradeoffs  whereby  a  rea¬ 
sonable  requirement  is  defined.  The  result  of  this  process 
is  incorporated  into  the  systems  requirements  documents, 
usually  in  the  form  of  nuclear  environment  specifications 
that  the  system  must  tolerate  without  unacceptable  perfor¬ 
mance  degradation.  The  exact  definition  of  acceptable 
performance  during  nuclear  exposure  is  usually  not  addressed, 
and  becomes  the  subject  of  ongoing  negotiations  between  the 
system  developers  and  user  representatives. 

3.  Eventually,  all  the  requirements  for  the  system  are  incorpo¬ 
rated  into  specifications  in  the  contract  for  system  develop¬ 
ment  and  manufacture.  Normally,  the  nuclear  environment  spe¬ 
cifications  are  passed  on  in  this  contract.  Sometimes,  addi¬ 
tional  specific  tests  are  required  to  demonstrate  some  mea¬ 
sure  of  compliance  with  the  environmental  tolerance,  although 
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the  issue  of  success  criterion  for  these  tests  is  rarely  dis¬ 
cussed.  Another  usual  feature  is  the  requirement  that  the 
contractor  develop,  for  Government  approval,  a  plan  for  the 
hardening  and  hardness  validation  efforts.  It's  usually  not 
clear  what's  supposed  to  happen  if  the  Government  doesn't 
approve  the  plan.  Historical  practice  has  been  to  negotiate 
a  compromise  between  what  nuclear  effects  experts  believe  is 
needed,  what  the  contractor  has  proposed,  and  what  the  SPO  is 
willing  to  fund. 

Beyond  this  point  there  are  a  plethora  of  useful  and  unuseful  doc¬ 
uments  that  discuss  nuclear  effects  problems  and  describe  possible  hardening 
techniques.  The  most  important  shortcoming  to  these  documents  is  that  they 
are  not  in  a  form  useful  for  establishing  contractual  compliance;  i.e.,  they 
do  not  establish  an  objective  standard  for  success.  Another  major  short¬ 
coming  is  that  many  of  the  documents  contain  a  finite  admixture  of  incorrect 
information,  which  those  who  are  not  nuclear  effects  experts  will  not  be 
able  to  distinguish  from  the  important  data. 

We  will  now  discuss  the  type  of  documents  that  need  to  be  extended 
and  prepared  to  formalize  Hardness  Management. 

2.3.2  Hardness  Management  Document. 

This  document  is  addressed  to  managers  (e.g.  the  Program  Officer 
and  his  senior  staff  in  the  Procuring  Activity;  the  Program  Manager,  Chief 
Engineer,  Hardness  Manager,  etc  in  the  development  contractor).  It  should 
tell  the  managers  what  they  need  to  know  and  do  in  order  to  achieve  a  system 
where  hardness  is  validated  in  a  cost  effective  and  timely  manner.  In  par¬ 
ticular,  it  should  include: 


1. 


A  brief  qualitative  summary  description  of  the  nuclear 
effects  to  be  considered.  This  should  not  attempt  to  go 
beyond  the  minimum  needed  for  the  managers  to  have  sufficient 
understanding  to  make  intelligent  judgements  about  programa- 
tic  matters. 

2.  A  sequence  of  hardness  related  events  that  need  to  take  place 
for  a  successful  program.  These  start  with  receiving  the 
system  performance  and  adverse  environment  specifications,  as 
determined  and  approved  by  the  responsible  Service.  They 
proceed  with  identifying  the  tasks  needed  to  translate  these 
into  the  form  suitable  for  competitive  procurement  and  con¬ 
tract  awards,  setting  up  the  organization  required  to  monitor 
compliance  with  the  requirements,  developing  suitable  hard¬ 
ness  validation  procedures,  and  meeting  the  various  mile¬ 
stones  for  the  Service  SARC  (e.g.  ASARC)  and  OSARC  reviews. 
These  descriptions  do  not  include  the  technical  factors  by 
which  these  tasks  will  be  accomplished:  that’s  reserved  for  a 
different  document.  This  document  is  for  the  manager  who 
needs  to  remember  to  have  someone  do  the  required  technical 
tasks,  and  needs  to  review  the  result  for  meeting  the  pro¬ 
grammatic  requirements. 

3.  A  list  of  organizations  (e.g.  staff  functions,  review  groups) 
and  responsibilities  that  are  consistent  with  normal  program 
execution,  by  which  the  hardness-related  issues  are  best 
addressed. 

4.  Examples  of  procedures  that  have  been  successful,  or  are  con¬ 
sidered  likely  to  be,  for  providing  the  management  incentive 
by  which  cost-effective  hardness  is  accomplished. 
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5.  A  catalog  of  resources  (e.g.  documents,  agencies,  facilities) 
that  are  available  to  support  the  management  and  technical 
efforts  required  for  a  successful  hardening  program. 

One  of  the  key  parameters  for  this  document  is  that  it  must  be 
short.  One  can  not  expect  program  managers,  with  multi-dimensional  demands 
on  their  time,  to  pore  over  a  multi-hundred  page  document  just  to  learn  to 
manage  hardness.  Instead,  a  short  document  with  a  good  index,  and  easy  to 
comprehend  recipes  for  doing  things  will  be  used  because  the  manager  finds 
that  it  simplifies  his  job.  A  long  document  that  dwells  on  the  problems 
instead  of  solving  them  only  complicates  his  job.  He  doesn't  need  that. 

2.3.3  Hardness  Validation  Methodology. 

The  key  to  any  hardening  program  is  the  methodology  that  is  used 
to  validate  that  adequate  hardness  has  been  achieved.  No  matter  how  sincere 
the  dedication  and  motivation  of  the  participants  in  a  development  program 
are,  they  naturally  keep  in  conspicuous  view  the  means  that  are  going  to  be 
used  to  grade  their  success.  A  baseline  assumption,  which  will  not  be  far 
off  in  practice,  is  that  the  hardening  program  will  accomplish  just  enough 
to  pass  the  validation  requirements.  Therefore,  achieving  adequate  hardness 
to  an  operational  nuclear  exposure  requires  that  the  validation  methodology 
be  sufficiently  congruent  to  operational  conditions.  In  effect,  a  reason¬ 
able  set  of  analyses  and  tests  need  to  be  formulated  so  that  success 
(according  to  predefined  criteria)  in  the  validation  program  provides 
acceptable  confidence  of  survival  under  operational  conditions.  This 
requirement  imposes  an  enormous  challenge  to  the  understanding  of  nuclear 
effects.  Since  it's  clearly  impractical  to  reproduce  all  parameters  of  a 
realistic  scenario,  an  understanding  of  the  relevance  of  each  parameter  is 
needed  to  decide  which  can  be  compromised,  which  have  to  be  compensated  by 
an  appropriate  margin,  and  which  have  to  be  considered  carefully  in  a  vali¬ 
dation  program.  Similarly,  the  roles  of  analysis  and  test  tasks  have  to  be 


integrated  effectively.  Analysis  is  always  required  to  perform  the  final 
bridging  to  operational  reality.  Analysis  can  also  serve  to  predict 
responses  when  sufficient  understanding  is  available.  Tests  need  to  explore 
uncertainties  that  are  beyond  reasonable  analytical  capability.  Unfortu¬ 
nately,  there  is  a  tendency  to  perform  those  tests  that  are  easiest  and 
least  expensive;  but  they  usually  address  the  areas  that  we  understand  the 
best,  i.e.  those  in  which  analysis  may  come  closest  to  the  answer  without 
test  data. 


This  discussion  introduces  the  importance  of  the  Validation  Metho¬ 
dology,  and  indicates  the  intense  stress  its  development  places  on  our 
understanding  of  nuclear  effects  phenomenology.  We  will  now  indicate  some 
of  the  features  of  a  Validation  Methodology  document. 

1.  The  document  is  introduced  with  a  discussion  of  those  nuclear 
effects  to  be  covered  and  the  type  of  systems  to  which  it 
applies  (i.e.  the  scope  of  the  document).  In  the  process, 
sufficient  discussion  of  the  technical  aspects  of  the  nuclear 
effects  is  given  to  provide  the  potential  user  with  suffi¬ 
cient  understanding  to  perform  his  function.  In  this  case 
the  user  is  still  primarily  in  a  management  role,  but  is  more 
technically  oriented  than  the  managers  addressed  in  the  pre¬ 
vious  document.  Therefore,  the  technical  discussion,  while 
it  should  still  be  brief,  goes  into  more  technical  depth  than 
in  the  Management  document. 

2.  The  document  considers  each  of  the  relevant  nuclear  effects, 
and  integrates  them  into  a  combined  validation  methodology  in 
which  stresses  are  combined  in  the  most  effective  manner. 
For  example,  displacement  effects  from  neutrons  and  long-term 
ionization  effects  from  gammas  both  produce  cumulative  degra¬ 
dation  in  the  important  properties  of  semiconductor  devices. 
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The  validation  program  should  consider  each  at  the  device 
level,  but  combine  their  effects  into  a  single  device  degra¬ 
dation  factor  before  incorporating  the  result  into  the  cir¬ 
cuit  functional  analysis.  Similarly,  some  nonnuclear  envi¬ 
ronments  produce  stresses  similar  to  some  nuclear  stresses 
(e.g.  lightning  and  HEMP).  The  analysis  and  test  program 
should  consider  these  specifications  together,  even  if  the 
dominant  frequencies  of  the  excitations  are  different, 
because  the  techniques  used  to  perform  the  calculations,  to 
apply  test  stresses,  and  to  diagnose  equipment  response  are 
similar. 

The  document  does  not  present  only  a  single  approved  valida¬ 
tion  methodology,  but  defines  the  rules  for  constructing  any 
of  a  number  of  approved  methodologies  out  of  building  blocks: 
individual  analysis  and  test  tasks.  All  of  the  blocks  are 
identified,  together  with  references  to  Standards  documents 
that  define  adequacy  criteria  for  their  application,  and  the 
means  whereby  a  satisfactory  Methodology  can  be  constructed 
are  spelled  out,  but  each  development  organization  is  allowed 
to  choose  among  these  options. 

The  methods  (building  blocks  for  the  Methodology)  include  a 
hierarchy  of  sophistication,  cost  and  accuracy.  Each  method 
is  accompanied  by  a  margin  that  must  be  validated  when  using 
that  method.  The  margin  is  defined  by  the  Government  to  be 
sufficient  to  overcome  all  know  uncertainties  in  applying  the 
method.  Presumably,  the  least  costly  methods  will  also  have 
the  larger  margins  imposed  on  them.  This  places  the  develop¬ 
ing  organization  in  the  position  of  properly  conducting  the 
tradeoff  between  margin  (which  may  be  costly  in  hardware)  and 
validation  methods  (which  become  more  costly  as  the  available 
margin  becomes  smaller). 
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5.  Examples  of  Validation  Methodologies  should  be  given  to  illu¬ 
strate  how  to  develop  one  from  the  information  given  in  the 
document. 

The  principles  to  which  we  adhere  in  this  approach  are: 

1.  The  development  organization  should  be  provided  as  much 
tradeoff  room  as  possible  to  achieve  an  optimum  development 
program,  in  which  hardening  is  one,  but  only  one,  vital 
dimension. 

2.  The  tradeoffs  should  be  performed  subject  to  con¬ 
straints  on  sufficiency  defined  by  the  Methodology  document. 

3.  Systems  development  organization  will  be  motivated  to 
incorporate  design  margins  when  that  results  in  a  savings  in 
validation  costs. 

2.3.4  Specification  Formats. 

We  have  already  referred  to  the  environmental  specifications  that 
are  currently  written  into  many  hardware  contracts.  Through  experience  and 
review  these  are  now  presented  in  reasonably  complete  and  standard  forms, 
and  are  mostly  adequate.  However,  this  specification  is  only  a  small  part 
of  the  total.  Specifications  need  to  be  incorporated  into  the  entire  con¬ 
tract  tree  extending  from  the  prime  item  to  the  individual  piece  part  pro¬ 
vided  by  a  vendor  to  a  subcontractor. 

To  some  degree  many  of  these  contract  interfaces  will  affect  the 
nuclear  hardness  of  the  system.  It's  impractical  to  educate  all  the  speci¬ 
fication  writers  in  this  chain  to  be  nuclear  effects  experts.  Tnerefore, 
it's  important  to  provide  guidance  on  how  to  write  specifications  that 
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include  nuclear  effects  in  such  a  manner  as  to  be  effective  and  appropriate 
to  the  item  being  purchased.  The  need  for  this  is  clear.  For  example,  we 
recently  performed  an  HEMP  hardness  validation  analysis  for  an  Army  equip¬ 
ment,  for  which  the  electrical  stress  was  specified  by  a  voltage/current  and 
pulse  length,  but  no  rise  time.  Since  parasitic  coupling  (e.g.  buried  cir¬ 
cuit  excitation)  is  strongly  dependent  on  the  high  frequency  content  of  the 
electrical  stress,  this  specification  was  clearly  insufficient.  We  sug¬ 
gested  a  reasonable  rise  time,  which  was  accepted  by  our  customer,  and  pro¬ 
ceeded  with  the  analysis.  However,  this  was  clearly  an  unsatisfactory  situ¬ 
ation  for  a  mature  discipline.  There  should  exist  suitable  formats  into 
which  the  specific  equipment  numbers  can  be  inserted,  but  which  ensure  that 
all  of  the  relevant  numbers  are  included. 

In  some  cases  the  nuclear  effects  community  should  go  beyond  that 
point  and  provide  a  complete  specification.  The  case  of  HEMP  is  an  example: 
the  fact  that  the  appropriate  HEMP  environment  specification  is  almost  inde¬ 
pendent  of  the  target  system  or  battlefield  scenario  implies  that  a  single 
integrated  HEMP  specification  applying  to  a  large  range  of  target  equipments 
is  appropriate.  This  recognition  led  DNA  to  play  the  major  role  in  the 
development  of  DoD-STD-2169,  which  presents  such  a  specification.  The  more 
common  case,  however,  is  where  the  individual  values  of  the  stresses  vary 
greatly  between  applications.  For  example,  a  single  specification  for  HEMP 
stresses  to  electronics  boxes  would  not  be  useful;  the  actual  voltages/cur¬ 
rents  on  the  wires  and  the  skin  currents  on  the  boxes  are  a  strong  function 
of  the  external  wiring  geometry  and  enclosure  shielding  as  well  as  the  sin¬ 
gle  HEMP  field  environment.  In  this  case,  the  appropriate  document  is  a 
specification  filled  in  with  TBD  to  indicate  the  numbers  that  must  be 
inserted  for  each  application. 


2.3.5 


Standards. 


We  define  a  Standard  as  a  prescription  for  an  item,  process,  or 
procedure.  Some  standards  define  an  item;  e.g.  MIL-C-39014  described  the 
minimum  acceptable  characteristics  of  a  ceramic  capacitor.  Standards  also 
may  define  a  process;  some  features  of  a  device  may  be  determined  by 
defining  the  process  used  to  make  it.  Standards  also  define  procedures, 
ranging  from  management  procedures  (e.g.  the  reliability  management  standard 
discussed  above)  to  analysis  and  test  procedures  (e.g.  a  standard  for  mea¬ 
surement  of  neutron  fluence  and  spectrum).  In  effect  a  Standard  controls 
the  quality  of  something;  those  parameters  that  need  to  be  bounded  to 
achieve  the  desired  result  must  be  addressed  by  the  Standard.  The  Standard 
is  written  in  recipe  form.  It  may  have  some  introductory  tutorial  informa¬ 
tion,  and  perhaps  an  explanatory  Appendix  that  describes  the  rationale  for 
the  recipe  but  basically  the  recipe  is  the  key  operative  content.  As  such 
the  Standard  should  have  the  force  of  a  legal  document:  a  nontechnical 
lavyyer  should  be  able  to  determine  whether  it  has  been  complied  with. 

2.3.6  Certified  Data. 

There  is  no  formal  requirement  for  the  Government  to  supply  certi¬ 
fied  data  for  the  Hardness  Validation  process.  Given  a  complete  set  of 
Standards  by  which  acceptable  data  can  be  generated,  the  validator  has  at 
his  disposal  all  the  means  necessary  to  accomplish  the  process.  However,  it 
is  inefficient  for  many  organizations  to  duplicate  efforts  (e.g.  test  the 
same  devices).  It  is  even  more  inefficient  for  validation  efforts  to 
address  issues  that  could  not  possibly  jeopardize  the  hardness  of  a  system 
just  because  there  appears  to  be  a  formal  requirement  to  do  so.  For  exam¬ 
ple,  we  have  recently  performed  a  number  of  neutron  fluence  analyses  for 
systems  in  which  the  threat  fluence  was  well  below  10^^  n/cm^  (1  MeV  equiv). 
There  are  very  few  semiconductor  devices  in  which  any  significant  effects 
occur  at  these  low  fluences.  A  quick  evaluation  whether  such  sensitive 
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devices  are  present  should  serve  to  complete  the  validation.  Nevertheless, 
the  whole  procedure  implied  by  AFWL-TR-76-147  was  required  with  a  foregone 
conclusion:  there  were  no  hardness  critical  items  because  of  neutrons.  This 
same  conclusion  could  have  been  derived  at  much  less  cost  if  the  Government 
had  certified  a  simple  worst-case  formula  for  neutron  damage,  and  reasonable 
implications  of  using  worst-case  results  {e.g.  do  not  apply  additional  mar¬ 
gins  if  the  result  is  already  truly  worst  case).  Many  other  examples  can 
be  found.  The  reason  for  supplying  such  data  is  strictly  economic:  the  tax¬ 
payers  money  can  be  diverted  to  addressing  more  significant  issues  by  pro¬ 
viding  some  information  as  given  and  acceptable  to  the  Government. 

There  must  be  some  caution  in  the  definition  of  certified  data. 
Not  all  Government  provided  data  is  certified.  For  example,  in  the  area  of 
neutron  effects  some  worst  case  formulas  based  on  the  physics  of  devices  and 
studies  of  data  banks  would  be  reasonable  candidates  for  certified  data. 
The  actual  data  in  the  DASIAC  data  bank  should  be  provided  as  useful  infor¬ 
mation,  but  would  not  be  certified.  The  user  would  have  to  apply  the  rules 
contained  in  Standards  to  those  data  to  determine  which  are  appropriate  for 
incorporation  into  his  validation  tasks. 

2.3.7  Gui del ine  Documents. 

Guideline  documents  serve  to  provide  useful  information  for  the 
managers  and  engineers  conducting  a  nuclear  hardening  program.  They  are 
designed  to  be  informative  and  useful,  but  do  are  not  mandatory  in  the  con¬ 
tractual  sense.  There  is  no  requirement  to  follow  the  guideline  recommended 
practices.  Their  only  persuasion  is  the  quality  and  usefulness  of  the  mate¬ 
rial  contained.  Among  other  subjects,  guidelines  could  address  recommended 
hardening  techniques,  specific  instrumentation  practices  for  tests,  and  the 
means  whereby  the  numbers  could  be  derived  to  fill  in  the  specification  for¬ 
mats. 
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It  is  sometimes  tempting  to  include  nonmandatory  guideline  infor¬ 
mation  in  the  more  formal  contractually-required  documents,  e.g.  Standards, 
Specification  Formats,  and  Methodologies.  We  recommend  against  doing  so  in 
the  main  body  of  the  document,  because  it  might  lead  to  misinterpretation 
between  mandatory  and  advisory  material.  It  is  suitable  to  include  the 
guideline  material  in  an  Appendix,  where  it's  readily  available  and  the  dif¬ 
ference  status  is  apparent. 

2.3.8  Tutorial  Documents. 

Tutorial  documents,  e.g.  textbooks,  are  needed  to  train  personnel 
in  all  phases  of  nuclear  hardening  and  testing,  ranging  from  test  techni¬ 
cians  to  nuclear  effects  experts.  These  also  are  not  formally  imposed  on 
system  development,  but  are  made  available  to  those  who  wish  to  receive  the 
education.  It's  particularly  important  for  there  to  be  a  range  of  text¬ 
books;  i.e.  different  ones  for  training  experts  who  intend  to  advance  the 
state  of  nuclear  effects  knowledge  than  those  intended  to  train  engineers 
for  whom  nuclear  effects  is  only  one  of  many  subjects  competing  for  their 
attention. 

2.3.9  Technical  Support  Documents. 

We  have  emphasized  the  formal  nature  of  the  Standards,  Methodolo¬ 
gies  and  Specification  Formats,  indicating  that  they  should  present  an 
easily  followed,  unambiguous  recipe  to  which  a  lawyer  could  judge  compli¬ 
ance.  This  does  not  leave  much  room  for  explanatory  material  or  for  techni¬ 
cal  justification  of  the  rules.  It's  nevertheless  important  for  the  techni¬ 
cal  basis  for  each  rule  to  be  clearly  established  in  a  form  subject  to 
ongoing  review.  That's  the  purpose  of  Technical  Support  Documents.  These 
present  a  technical  audit  trail  on  which  each  rule  is  based,  including  the 
supporting  data  and  analyses.  These  documents  form  the  basis  for  future 
improvements  to  the  rules,  identify  the  areas  in  which  research  is  needed  to 


refine  or  support  rules,  and  can  be  the  starting  point  for  a  review  of  a 
waiver  request  from  one  of  the  rules.  While  these  documents  do  not  present 
any  information  with  which  the  development  organization  is  required  to  com¬ 
ply  contractually,  we  believe  it  is  essential  for  these  documents  to  be  pre¬ 
pared.  Otherwise,  the  basis  for  the  rules  would  soon  become  unclear,  and 
future  generations  of  technologists  and  engineers  would  waste  a  lot  of  time 
arguing  about  their  adequacy. 


2.4 


UNCERTAINTIES,  STATISTICS,  AND  MARGINS. 


2.4.1 


Introduction, 


The  process  of  nuclear  hardness  assessment  or  validation  is  beset 
with  many  uncertainties.  Since  the  possibility  or  adequacy  of  a  particular 
nuclear  hardness  validation  process  is  frequently  questioned  on  the  grounds 
of  uncertainty,  we  will  address  this  subject  explicitly.  In  order  to  pro¬ 
vide  additional  insight  into  the  problem  we  will  define  three  classes  of 
uncertainties;  parameter  variations,  modeling  uncertainties,  and  evaluation 
approximations.  It  is  apparent  to  all  workers  in  the  field,  and  especially 
to  critics  of  hardness  validation  methodologies,  that  there  are  many  uncer¬ 
tainties  and  some  of  them  cover  a  wide  range  of  values.  It  is  not  difficult 
to  construct  a  hardness  validation  approach  whose  application  can  be  reduced 
tc  the  ridiculous  if  one  tries  to  incorporate  all  of  these  uncertainties. 


The  process  of  hardness  validation  is  frequently  confused  with 
hardness  assessment.  We  will  offer  distinct  definitions  of  these  two  terms. 
We  will  define  hardness  assessment  as  a  process  by  which  investigators  gene¬ 


rate  the  best  estimate  of  the  hardness  level  of  a  systems  hardness  level 
(stress  level  at  which  it  reaches  its  threshold  of  failure),  together  with 
estimates  of  the  distributions  of  the  hardness  levels  and  the  uncertainties 
in  making  the  estimate.  Hardness  validation,  on  the  other  hand,  is  the  pro¬ 
cess  by  which  investigations  establish  that  the  system  meets  its  hardness 
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requirement.  Hardness  validation  is  not  concerned  with  an  accurate  estimate 
of  the  threshold  for  system  failure;  it  is  directed  at  establishing  at  a 
reasonably  high  level  of  confidence,  that  the  system  will  not  fail  at  and 
below  a  given  level  of  environmental  stress. 

These  two  processes  are  frequently  intermixed  because  the  methods 
that  are  used  to  achieve  a  hardness  validation  or  similar  to  those  used  for 
hardness  assessment.  It  is  also  true  that  an  accurate  hardness  assessment, 
f  which  incorporates  all  variables  and  uncertainties  in  a  high-confidence 

determination  of  the  probability  of  system  failure  as  a  function  of  environ- 
j  mental  stress,  would  immediately  generate  the  hardness  validation.  One  sim- 

I  ply  has  to  evaluate  the  probability  of  failure  at  the  particular  value  of 

j  environmental  stress  corresponding  to  the  system  specification  to  determine 

whether  the  hardness  had  been  adequately  validated.  Unfortunately,  it  turns 
out  that  an  accurate  determination  of  the  probability  of  failure  versus 
environmental  stress  is  an  extremely  difficult  task,  which  is  beset  with  all 
the  uncertainties  and  variations  that  we  will  discuss  below.  Therefore,  it 
is  not  surprising  that  hardness  validation  based  upon  applying  hardness- 
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f  assessment  methods  does  not  lead  to  a  high  confidence  conclusion. 

For  this  reason  we  offer  the  suggestion  that  hardness  validation 
be  approached  from  a  significantly  different  point  of  view  than  hardness 
assessment.  Hardness  assessment  is  concerned  with  generating  the  maximum 
likelihood  estimates  of  the  probability  of  system  failure  as  a  function  of 
environmental  stress.  The  uncertainties  in  these  estimates  can  go  both 
ways.  There  are  factors  that  might  make  the  system  harder  than  this  esti¬ 
mate,  other  factors  make  it  softer.  Hardness  validation  is  concerned  only 
with  a  one-sided  answer:  that  the  hardness  is  at  least  as  great  as  the  spe¬ 
cified  level.  For  this  reason,  it  is  appropriate  to  incorporate  into  hard- 
ness  validation  one-sided  estimates,  such  as  worst-case  values  of  parameters 
and  expected  responses.  This  process  would  not  be  valid  for  an  unbiased 
hardness  assessment,  but  it  is  applicable  to  a  legalistic  hardness  valida¬ 
tion. 


Once  one  accepts  the  idea  of  using  bounds  as  a  way  of  overcoming 
uncertainties,  it  also  leads  naturally  to  a  choice  of  methods  by  which  the 
bounds  are  derived.  Usually  one  can  establish  bounds  to  various  phenomena, 
including  nuclear  effects,  using  very  simple  principles,  although  such 
bounds  may  be  far  from  the  maximum  likelihood  expected  response.  For  exam¬ 
ple,  in  EMP  problems  it  is  always  possible  to  bound  the  amount  of  available 
energy  by  using  the  Poynting  vector  and  the  effective  target  cross  section 
of  the  system.  The  target  cross  section  has  a  maximum  value  dependent  upon 
its  physical  size  and  the  wavelength  of  the  electromagnetic  radiation  inter¬ 
acting  with  it.  Clearly,  it  doesn't  require  much  effort  to  calculate  this 
bound  on  the  available  EMP  energy.  Unfortunately,  this  answer  is  almost 
always  useless,  because  this  bound  on  the  available  energy  is  much  greater 
than  the  amount  of  energy  needed  to  produce  significant  damage  in  individual 
electronic  devices.  Therefore,  it  is  necessary  to  work  harder,  e.g.,  to 
evaluate  bounds  on  the  attenuation  factors  that  are  interposed  between  the 
external  energy  fluence  and  the  potentially  effected  electronic  devices 
before  one  can  generate  an  inequality  on  which  hardness  validation  can  be 
based.  These  calculations  can  also  progress  at  the  various  levels  of 
detail,  each  with  a  corresponding  degree  of  conservatism.  For  example,  sim¬ 
ple  inspection  of  a  metallic  enclosure  can  assure  that  the  electromagnetic 
energy  flux  inside  the  enclosure  will  be  attenuated  by  a  factor  of  40  dB 
compared  to  the  external  flux.  It  takes  an  easily  noticeable  penetration 
for  the  magnetic  field  inside  a  metallic  exposure  to  be  greater  than  of 
the  incident  field.  On  the  other  hand  i  f  a  40  dB  worst  case  attenuation 
factor  does  not  produce  a  useful  hardness  validation  answer,  it  may  be 
necessary  to  perform  electromagnetic  attenuation  measurements  over  the  range 
of  EMP  frequencies.  For  example,  it's  probably  necessary  to  perform  ongoing 
hardness  maintenance  and  surveillance  activities  to  demonstrate  that  the 
actual  shielding  factor  is  maintained  at  a  level  of  80  dB  or  greater.  The 
moral  of  this  example  is  that  when  we  are  fortunate  to  have  a  significant 
margin  available,  relatively  simple  analyses  can  serve  to  establish  with 


high  confidence  that  the  hardness  is  validated.  When  we  are  not  so  fortu¬ 
nate,  more  elaborate  processes  are  needed  to  bring  the  bounds  closer  to  the 
expected  values.  The  key  issue  in  hardness  management  is  to  identify  the 
candidate  methods  for  placing  useful  bounds  on  nuclear  effects.  The  methods 
can  consist  of  using  the  maximum  likely  estimate  as  in  a  hardness  assessment 
and  adding  an  additional  safety  factor  to  the  answer  to  create  a  reasonable 
bound.  In  other  cases,  the  methods  can  be  fundamentally  different  when  one 
is  seeking  a  bound  rather  than  a  maximum  likely  estimate. 

2.4.2  Uncertainties. 

We  will  discuss  three  classes  of  uncertainties  that  effect  hard¬ 
ness  assessment  and  that  have  to  be  compensated  by  margins  and  bounds  in 
hardness  validation:  parameter  variations,  modeling  uncertainties,  and 

evaluation  approximations. 

2.4.2. 1  Parameter  Variations. 

It  is  well  recognized  that  some  parameters  that  describe  the 
nuclear  response  of  a  system  have  large  variations.  In  the  case  of  tran¬ 
sient  radiation  effects  in  electronics  (TREE)  these  variables  include  the 
variation  response  of  the  individual  units  for  a  particular  device  type. 
The  EMP  variations  will  include  not  only  the  variation  in  susceptibil ty 
threshold  of  the  electronics  devices,  but  also  variations  in  the  geometry 
that  determine  the  coupling  of  electromagnetic  energy  from  the  incident  EMP 
to  the  electronic  devices.  Some  of  these  parameters  can  vary  widely, 
because  they  may  be  not  closely  linked  to  the  parameters  that  control  the 
ordinary  functional  response  of  the  device  or  enclosure.  For  example, 
enough  is  understood  about  the  long-term  effect  of  ionizing  radiation  on 
semiconductor  devices  to  realize  that  the  effect  can  vary  by  more  than  an 
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order  of  magnitude  depending  upon  the  purity  of  the  oxide  grown  on  the  semi¬ 
conductor  device  and  of  the  temperature  history  through  which  the  device 
must  go  subsequent  to  oxide  formation.  Parameters  that  determine  the  radia¬ 
tion  response  of  the  oxide  are  only  weakly  linked  to  those  that  determine 
the  normal  electrical  function  and  reliability  of  the  device.  For  example, 
both  radiation  and  reliability  are  degraded  by  having  a  sodium  ion  contami¬ 
nation  in  the  oxide,  but  the  normal  function  of  the  device  appears  to  be 
aided  by  hydrogen  atoms,  whereas  the  radiation  susceptibility  is  signifi¬ 
cantly  degraded  by  their  presence.  One  approach  to  nuclear  hardening  is 
thus  to  insist  that  all  possible  relevant  parameters  of  electronic  devices 
and  assembly  are  controlled  so  as  to  preclude  significant  variations  in 
nuclear  response.  This  approach,  we  believe,  is  impractical.  It  devotes  a 
lot  of  resources  to  controlling  parameters  most  of  which  will  turn  out  not 
to  effect  the  hardness  of  the  system. 

Among  relevant  parameters  there  a»*e  three  kinds  of  factors  that 
promote  variations:  initial,  temporal,  and  scenarios. 

The  initial  variations  of  parameters  are  those  which  exist  at  the 
time  that  the  system  is  manufactured.  Where  needed,  these  variations  are 
reduced  by  quality  control.  In  order  to  achieve  cost-effective  hardening, 
it  is  important  to  minimize  the  number  of  parameters  that  must  receive 
extraordinary  quality  control. 


Temporal  variations  are  those  that  occur  with  time  during  normal 
system  storage,  deployment  and  operation.  For  example,  the  normal  air  envi¬ 
ronment,  especially  those  near  the  ocean,  can  degrade  the  contact  between 
metal  surfaces  by  forming  oxides  and  other  non-conducting  films  on  metals. 
To  some  extent  the  performance  margin  that  may  exist  in  a  semiconductor 
device  between  its  requirements  and  its  initial  characteristics  may  be 
eroded  with  time  as  a  result  of  slow  diffusion  of  species  or  action  of  the 


ambient  environment  on  surfaces.  Other  temporal  changes  occur  as  a  result 
of  specific  steps  taken  during  the  normal  life  cycle  of  a  system.  For  exam* 
pie,  routine  maintenance  actions  may  require  that  hatches  or  inspection 
parts  be  removed  and  replaced.  In  this  process  it  is  possible  that  electri¬ 
cal  gaskets  are  damaged,  or  even  left  out  by  the  maintenance  personnel,  when 
the  system  is  reassembled. 

There  are  major  variables  in  the  scenarios  as  well.  While  a  spe¬ 
cification  is  usually  intended  to  be  a  single  or  small  set  of  worst-case 
threats  to  the  system,  the  actual  operational  environment  will  have  a  large 
range  of  variables  in  it.  These  include  variables  to  describe  the  stresses 
imposed  on  the  system  (e.g.,  spectrum,  range  and  incidence  angle).  Other 
environmental  variables  may  be  relevant  to  the  system  response  (e.g.,  atmos¬ 
pheric  pressure)  and  a  large  number  of  variables  describe  the  configuration 
in  which  the  system  finds  itself  at  the  instant  of  exposure  (e.g.,  the  spe¬ 
cific  state  of  the  electronics,  as  well  as  features  of  the  mechanical  con¬ 
figuration). 

2. 4. 2. 2  Modeling  Uncertainties. 

The  expected  response  of  a  system  to  a  given  nucl ear- induced 
stress  is  usually  synthesized  by  combining  data  on  the  •'esponse  of  part  or 
all  of  the  system  under  somewhat  different  stresses  into  a  model  that  pre¬ 
dicts  the  operationally  significant  response.  If  accurate  reproductions  of 
the  operational  conditions  were  available  and  reasonable  to  use  for  test 
programs,  this  model  would  reduce  to  the  simplistic  one  which  says  that  the 
operational  response  will  be  identical  to  the  test  response.  In  all  nuclear 
effects  cases,  there  is  a  wide  chasm  between  reasonably  available  data  and 
operational  situations.  This  chasm  must  be  bridged  by  some  type  of  modeling 
effort,  which  incorporates  the  available  data  and  our  understanding  of  the 
relationship  between  response  and  conditions  into  a  prediction  of  the  opera¬ 
tional  response.  Such  a  model  can  be  as  simple  as  a  few  words  that  indicate 
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the  underlying  assumptions  and  establish  a  relationship  between  test  stress 
and  operational  stress.  Or  it  could  be  as  complicated  as  a  large  scale  com¬ 
puter  code.  In  either  case  there  are  significant  uncertainties  of  three 
types:  simplifications,  perception  errors,  and  missing  phenomena. 

Simplifications  are  those  steps  taken  in  the  modeling  process, 
whereby  complicating  features  of  the  system  or  its  interaction  are  delibe¬ 
rately  left  out  because,  in  the  judgement  of  the  modeler,  they  do  not  signi¬ 
ficantly  alter  the  conclusion  of  the  modeling  effort. 

Perception  errors  are  somewhat  more  insidious.  These  represent 
differences  between  the  modeler's  perception  of  the  system/exposure  and  rea¬ 
lity.  Presumably,  the  modeler  included  all  of  the  parameters  that  he  recog¬ 
nized  as  being  important.  There  are  numerous  examples  of  nuclear  effects 
analysis  (especially  ’n  EMP)  in  which  test  results  revealed  a  parameter 
(e.g.,  a  coupling  path)  that  the  modeler  was  not  even  aware  of  at  the  time 
he  did  his  predictions. 

The  third  area  is  potentially  the  most  disquieting,  but  in  prac¬ 
tice  is  the  least  often  encountered:  missing  phenomena.  Clearly,  if  the 
model  did  not  include  a  process  that  isn't  even  understood  to  be  relevant, 
the  prediction  can  be  far  off.  This  uncertainty  has  some  of  the  same 
character  as  the  perception  error.  In  both  cases  it  is  the  result  of  some¬ 
thing  being  overlooked  in  the  modeling  process.  However,  the  perception 
error  can  always  be  detected  by  performing  suitable  investigations  on  the 
hardware.  The  missing  phenomenon  is  more  difficult  to  expose,  because  with¬ 
out  a  knowledge  of  the  phenomenon  a  judgement  cannot  be  made  on  the  appro¬ 
priate  means  of  exposing  the  unknown  phenomenon.  Clearly,  as  experience  is 
gained  in  a  field  and  more  test  results  under  different  conditions  are  accu¬ 
mulated,  the  chances  of  there  being  an  undetected  phenomenon  decreases, 
while  it  is  never  possible  to  prove  the  absence  of  the  unknown  unknown 
(unk.  unk.),  it  is  not  the  subject  of  overri(ing  concern  at  this  time. 


Evaluation  ADoroximations 


The  third  class  of  uncertainties  involves  the  procedure  by  which 
numerical  evaluations  are  made,  either  analytically  or  experimentally.  For 
example,  computer  programs  performing  complex  calculations  are  limited  in 
their  accuracy,  even  when  the  computer  appears  to  be  performing  the  calcula¬ 
tions  to  many  significant  features.  There  are  many  ways  in  which  codes  can 
generate  inaccurate  answers  because  somewhere  in  the  computation  small  dif¬ 
ferences  of  very  larger  numbers  are  calculated.  It  requires  a  great  deal  of 
critical  evaluation  of  results  generated  over  long  periods  of  time  in  the 
use  of  any  computer  code  before  confidence  in  its  accuracy  is  achieved. 
Experiments  are  also  subject  to  uncertainties.  There  are  the  obvious  inac¬ 
curacies  in  the  measuring  equipment  and  there  are  the  less  obvious  errors 
introduced  by  electrical  noise,  sensor  interference,  and  just  plain  human 
error. 

2.4.3  Statistics. 

Statistical  methods  can  be  powerful  aids  in  dealing  with  some  of 
the  uncertainties  discussed  above.  They  are  particularly  useful  in  describ¬ 
ing  the  variations  in  device  parameters,  and  in  synthesizing  system  response 
variation  from  such  data.  They  are  not  applicable  to  perception  errors  or 
to  the  estimation  of  the  risk  of  missing  phenomena.  Any  estimate  of  the 
risk  of  making  such  errors  must  be  subjective,  and  is  not  amenable  to  objec¬ 
tive  statistical  treatment. 


Statistical  methods  are  generally  of  two  types:  parametric  and 
nonparametric.  Parametric  methods  are  based  on  an  assumed  distribution  of 
the  variables  .  The  conclusions  are  dependent  on  the  validity  of  that 
assumption,  although  with  sufficient  data  the  consistency  of  the  assumed 
distribution  can  be  checked.  Non-parametric  statistics  methods  make  no  such 
assumption,  and  the  conclusions  are  valid  for  any  underlying  parameter  dis¬ 
tribution  from  which  the  data  could  have  reasonably  been  derived. 


Clearly,  from  a  standpoint  of  rigor,  non-parametric  statistics  are 
preferred.  Unfortunately,  in  most  nuclear-effects  applications,  applying 
non-parametric  statistics  to  data  that  can  be  acquired  with  reasonable 
resources  results  in  conclusions  that  are  so  weak  as  to  be  uninteresting. 
For  example,  consider  performing  a  particular  test  on  a  number  of  units  of  a 
military  system  to  draw  a  conclusion  about  nuclear  hardness,  observing  on 
each  test  whether  the  item's  response  during  and  after  the  test  is  accept¬ 
able  (i.e.,  setting  aside  the  qualitative  issue  of  the  interpretation  of  the 
test  results  in  terms  of  operational  stresses).  A  reasonable  goal  of  such  a 
test  is  to  establish  with  80%  Confidence  that  90%  of  the  units  would  survive 
such  a  stress.  Such  a  conclusion  could  be  drawn  if  15  units  were  tested 
without  a  failure,  or  30  units  with  only  one  failure.  Considering  the  dif¬ 
ficulty  and  expense  of  nuclear  effects  tests,  and  the  good  chance  that 
apparent  failures  occur  during  major  test  programs  that  probably  have 
nothing  to  do  with  the  nuclear  stresses,  imposing  such  a  requirement  can  be 
very  costly.  When  this  is  compounded  with  questions,  such  as  the  effect  of 
life-cycle  operation  and  maintenance  on  the  system  (i.e.  do  they  have  to  be 
repeated  periodically?),  the  non-parametric  approach  appears  to  be  of  lim¬ 
ited  use. 

The  parametric  approach  assumes  that  some  parameter  of  interest 
(e.g.  the  stress  level  at  the  threshold  of  failure)  is  distributed  according 
to  some  formula,  and  that  tests  are  used  to  measure  the  parameters  of  that 
distribution.  Commonly  used  distributions  include  Normal,  Lognormal,  and 
Weibull.  For  parameters  that  are  inherently  positive  (e.g.  the  failure 
stress),  we  prefer  the  Lognormal  over  the  Normal.  When  the  standard  devia¬ 
tion  (i.e.  second  moment  or  variance)  is  small  compared  to  the  mean  (i.e. 
first  moment),  these  two  distributions  become  the  same.  When  the  standard 
deviation  is  not  snail  compared  to  the  mean,  the  Normal  distribution  is  not 
meaningful  for  an  inherently  positive  quantity,  because  it  has  a  significant 
value  for  zero  and  negative  arguments.  The  Lognormal  distribution,  instead, 
is  not  meaningful  for  negative  arguments. 


The  consistency  of  an  assumed  distribution  with  the  data  can  be 
checked  by  well-established  numerical  tests.  Given  an  assortment  of  N  data, 
not  only  can  we  calculate  the  attributes  of  an  assumed  distribution  (e.g. 
the  mean  and  standard  deviation  of  a  Lognormal  distribution),  but  also  eval¬ 
uate  the  likelihood  that  the  N  data  came  from  a  Lognormal  distribution. 
Unfortunately,  this  evaluation  is  likely  to  detect  significant  deviations 
only  if  they  occur  at  the  1/N  level  in  the  probability  distribution.  For 
example,  a  tail  in  the  underlying  probability  distribution  that  occurs  at 
the  10-3  level  is  unlikely  to  appear  if  the  sample  size  is  only  100.  There¬ 
fore,  such  tests  are  useful  in  establishing  the  consistency  of  the  data  with 
an  assumed  distribution,  but  they  can  never  prove  that  the  distribution  is 
correct  at  probability  levels  beyond  those  at  which  data  exist.  Unfortu¬ 
nately,  the  need  for  parametric  methods  is  precisely  in  these  limits:  to 
extrapolate  limited  statistical  data  to  useful  probability  levels  at  which 
we  cannot  afford  to  treat  data  nonparametrical ly. 

Therefore,  there  is  a  valid  criticism  that  the  validity  of  para¬ 
metric  statistics  can  not  be  proven  out  to  the  probability  levels  that  need 
to  be  used  for  practical  conclusions.  This  criticism  is  answered  in  two 
ways : 

1.  Since  applying  nonparametric  statistics  with  reasonable 
investments  in  testing  does  not  produce  useful  answers,  tak¬ 
ing  the  risk  of  assuming  a  parameter  distribution  to  generate 
useful  answers  seems  to  be  the  lesser  of  the  risks. 

2.  Since  there  is  some  risk  involved,  it  is  important  for  the 
government  to  control  that  risk  by  specifying  the  acceptable 
assumptions,  as  it  has  traditionally  done  in  Reliability,  and 
thereby  controlling  the  methods  to  be  applied  by  individual 
systems  programs. 


The  methods  to  test  the  validity  of  the  statistical  assump¬ 
tions  should  be  applied  to  the  broadest  data  base  possible, 
in  order  to  perform  such  tests  to  as  low  a  stress-probabil ity 
level  as  possible.  For  example,  if  the  form  of  a  distribu¬ 
tion  is  assumed  for  a  class  of  electronics  parts  responses, 
and  the  assumption  is  made  that  different  members  of  the 
class  (e.g.  different  part  types)  differ  only  in  the  distri¬ 
bution  parameters  (e.g.  mean  and  standard  deviation),  then 
the  consistency  of  the  distribution  assumption  (e.g..  Log¬ 
normal)  can  be  checked  by  renormalizing  all  data  for  all 
members  of  the  class  by  the  distribution  parameters  evaluated 
for  the  individual  members  of  the  class.  In  other  words,  the 
data  can  be  replotted  on  a  single  distribution  by  dividing 
each  datum  by  the  mean  for  its  type,  and  raising  the  result 
to  a  power  which  is  the  reciprocal  of  the  standard  deviation 
for  the  type;  i.e. 


S*  =  (S/S  ) 
m 


Where  S*  is  the  normalized  value  of  S,  whos®  mean  is  and 
standard  deviation  o.  The  lognormal  distribution,  S*,  has  a 
mean  of  unity  (log  =  0)  and  a  standard  deviation  of  e  (zn  = 
±1). 


Since  there  remains  some  risk  that  an  undetected  tail  on  a 
failure  distribution  causes  operational  problems,  there 
remains  a  continuing  need  to  perform  some  "realistic" 
integral  tests  on  operational -type  equipments.  Since  there 
are  a  lot  of  additional  hidden  variables  in  testing  compli¬ 
cated  equipments,  these  cannot  serve  as  a  basis  for  statisti¬ 
cal  evaluations.  Instead,  they  are  another  means  of  mini¬ 
mizing  the  risks  incurred  in  the  statistical  approach,  which 
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relies  on  simpler  tests  to  generate  the  data.  In  our 
approach,  there  is  some  question  as  to  whether  the  government 
or  the  development  organization  should  accept  the  risk  of 
failure  in  such  an  integral  test,  but  there  is  no  question 
that  the  developer  must  demonstrate  compliance  with  the  para¬ 
metric  statistical  methods,  as  defined  by  government  provided 
standards. 

2.4.4  Margins. 

Margins  play  a  key  role  in  engineering  design  to  meet  adverse 
environmental  influences,  including  nuclear  effects.  As  suggested  before, 
it‘s  not  reasonable  to  base  the  design  and  validation  on  an  accurate  repre¬ 
sentation  of  the  system's  response  to  an  adverse  stress;  the  cost  of  gener¬ 
ating  and  applying  the  data  can  far  exceed  the  benefit  to  be  derived. 
Instead,  the  cost-effective  approach  is  to  use  worst  case  limits  to  estab¬ 
lish  that  the  system  will  respond  within  acceptable  performance  envelopes  to 
the  entire  range  of  adverse  stresses.  Design  margins  are  frequently  used  to 
establish  this  result.  For  example,  if  it  can  be  established  that  the 
margin  between  the  worst  case  initial  gain  of  a  transistor  and  the  minimum 
value  required  to  perform  a  circuit  function  is  greater  than  the  worst  case 
degradation  caused  by  the  specified  neutron  and  gamma  exposure,  together 
with  a  suitable  allocation  for  in-service  degradation,  then  it  is  estab¬ 
lished  that  the  transistor  is  not  critical  to  the  required  hardness  of  the 
system.  Similar  inequalities  can  be  applied  to  other  hardness  related  fea¬ 
tures,  such  as  the  quality  of  the  electrical  shielding. 

The  foregoing  discussion  illustrates  how  a  margin  can  be  used  to 
compensate  for  the  variables  in  nuclear- induced  degradation  of  electronic 
parts  or  assemblies.  A  margin  can  also  be  used  to  compensate  for  approxima¬ 
tions  made  in  the  hardness  validation  process.  For  example,  consider  the 
case  in  which  the  transistor  gain  margin  is  not  sufficient  to  compensate  for 


the  worst  possible  degradation.  Then  test  data  may  be  required  to  establish 
the  adequacy  of  the  design.  The  tests  can  be  performed  on  a  range  of  sample 
sizes,  the  larger  the  size  the  more  accurate  the  statistical  conclusions  but 
the  more  expensive  the  test.  There  exist  standard  statistical  procedures  by 
which  margins  are  applied  to  small-sample  data  to  compensate  for  the  small¬ 
ness  of  the  sample  (e.g.  tables  for  samples  from  normal  distributions). 
If  there  is  sufficient  design  margin  to  accomodate  a  larger  K^i  factor,  a 
smaller  sample  size  is  satisfactory.  If  not,  a  larger  sample  size  is 
required. 

This  same  concept  of  applying  margins  to  simplify  validation 
methods  extends  to  analytic  methods.  An  EMP  coupling  calculation  can  be 
performed  at  many  degrees  of  sophistication,  ranging  from  simple  hand  calcu¬ 
lations  to  three-dimensional  computer  modeling.  The  hand  calculation  is 
satisfactory  if  a  margin  applied  to  the  result  to  account  for  its  approxima¬ 
tions  can  be  tolerated  by  the  system  design;  otherwise,  a  more  accurate,  and 
presumably  more  costly  method,  is  required.  If  too  many  structural  details 
become  involved  in  the  assessment,  it's  probably  necessary  to  perform  a  test 
to  validate  the  hardness.  In  this  case,  we  are  faced  not  only  with  the  cost 
of  a  realistic  test,  but  also  the  prospect  of  having  to  repeat  it  occasion¬ 
ally  as  part  of  a  hardness  surveillance  program.  Clearly,  a  margin  incor¬ 
porated  into  the  design  can  save  a  lot  of  money  downstream  during  hardness 
validation,  hardness  assurance,  hardness  maintenance  and  hardness  surveil¬ 
lance. 

2.5  AHALYSIS/TEST  HIERARCHIES. 

The  discussion  in  the  previous  section  on  Margins,  and  especially 
some  the  examples,  leads  directly  to  a  hierarchical  approach  to  analyses  and 
tests .  Our  recommendations  follow  the  tradeoff  philosophy  established 
earlier:  margins  can  be  traded  off  against  complexity  in  validation  methods. 
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In  the  past,  where  required  analyses  and  tests  were  specified  in 
the  contractual  documents  at  all,  the  analysis/test  requirements  were  speci¬ 
fic,  or  at  least  were  intended  to  be.  As  discussed  previously  in  Sec¬ 
tion  2.2,  there  were  ambiguities  in  the  interpretation  of  the  results,  par¬ 
ticularly  in  the  success  criteria.  However,  the  developer  has  not  usually 
been  offered  any  options:  each  defined  analysis  and  test  task  was  to  be  per¬ 
formed,  and  its  performance  was  independent  of  the  design  (hopefully,  the 
result  depended  on  the  design).  In  some  cases,  there  have  been  debates 
within  government  circles,  aided  and  abetted  by  industrial  experts,  on  whe¬ 
ther  some  tasks  were  required  or  not.  Usually,  the  final  word  on  these 
arguments  has  been  fiscal:  things  do  not  get  done  if  no  one  supplies  the 
money  to  do  them.  Other  arguments  are  based  on  test  quality  (e.g.  the 
debate  over  whether  B-1  should  be  exposed  to  TRESTLE),  and  on  the  possibil¬ 
ity  of  misinterpreting  the  result  if  it's  influenced  by  the  lack  of  realis¬ 
tic  simulation  fidelity. 

Our  recommendations  offer  a  distinct  variation  to  this  theme.  The 
contracts  should  not  specify  all  of  the  specific  tests  and  analyses  to  be 
performed,  but  specify  the  rules  whereby  a  specific  set  of  tests  and  analy¬ 
ses  can  be  selected  by  the  developing  organizations.  In  general,  these 
rules  are  such  as  to  motivate  the  designers  to  incorporate  margins  in  their 
designs.  These  margins  do  not  allow  a  hardness  issue  to  be  ignored,  but 
they  enable  simpler  methods  (which  require  larger  margins  to  be  justified) 
to  demonstrate  that  hardness  has  been  achieved. 


i 


Consider  the  example  of  the  SGEMP  hardness  of  a  spacecraft.  A 
favored  approach  to  hardening  a  spacecraft  with  respect  to  a  variety  of 
electromagnetic  stresses  is  to  enclose  the  electronics  and  cabling  in  elec¬ 
trical  shielding  compartments  (so-called  Faraday  cages),  and  to  control  the 
signals  that  must  pass  into  and  out  of  those  compartments.  It  was  argued  by 
some  satellite  designers  that,  since  their  satellite  used  this  approach,  the 
issue  of  SGEMP  generated  external  to  the  cable  shields  was  irrelevant,  and 
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no  analysis  or  testing  would  be  required.  It  was  argued  by  some  nuclear- 
effects  experts  that  the  quality  of  the  shielding  needed  to  be  verified,  and 
that  a  realistic  stress  test  was  required  whether  the  electrical  shielding 
were  incorporated  into  the  design  or  not.  Our  approach  to  this  conflict  is 
this:  if  the  electrical  shielding  is  more  than  adequate  to  provide  protec¬ 
tion  from  external  and  cavity  SGEMP  excitation,  this  can  be  demonstrated  to 
anyone's  satisfaction  with  a  modest  electrical  test  program:  injecting  elec¬ 
trical  currents  into  the  spacecraft  structure  and  cable  shielding  and  ver¬ 
ifying  that  the  signals  coupled  into  critical  circuits  are  well  below  the 
threshold  for  functional  disturbance.  This  injection  test,  since  it 
involves  relatively  efficient  conversion  of  electrical  energy  in  the  simu¬ 
lator  (or  stimulator),  can  easily  be  performed  at  a  level  far  enough  above 
the  expected  threat  level  to  compensate  for  uncertainties  in  reproducing 
realistic  current  distributions  and  waveforms.  This  approach  provides  the 
basis  for  an  intelligent  tradeoff:  if  the  margin  is  sufficient  and  the 
developer  has  confidence  in  it,  a  simple  test  serves  to  demonstrate  that  the 
margin  exists.  If  the  margin  is  not  sufficient  to  utilize  the  simple  test, 
a  more  complex  validation  method  is  required,  with  the  attendant  extra  costs 
and  risks. 

Incorporating  this  approach  into  the  legalistic  form  of  contrac¬ 
tual  specifications  requires  that  the  government  define  all  of  the  valida¬ 
tion  method  options  and  the  margins  that  must  be  applied  for  each  method  and 
the  Standards  that  control  the  application  of  each  method.  Once  this  is 
provided,  a  legally  enforceable  framework  exists  within  which  the  developer 
can  choose  the  approach  that  minimizes  costs  and  risks  to  himself  while 
being  assured  that  the  government  must  accept  the  results  if  they  are  satis¬ 
factory  according  to  the  pre-defined  rules. 


2.6 


ZONE  CONCEPT. 


The  zone  concept  is  another  means  by  which  the  developer  can  trade 
off  complexity  for  accuracy  in  the  nuclear  effects  validation  tasks.  Under 
a  particular  realistic  nuclear  stimulation  (radiation  or  electrical)  each 
portion  of  an  electronic  system  is  exposed  to  a  particular  level  of  excita¬ 
tion.  It  is  very  costly  to  determine  the  excitation  at  each  of  many  loca¬ 
tions  for  each  of  many  exposure  conditions,  and  then  to  evaluate  the  elec¬ 
tronics  response  to  each  of  the  exposures  in  terms  of  the  different  excita¬ 
tions  of  different  parts.  Consider  the  specific  case  of  X-ray  exposure.  A 
detailed  modeling  of  an  electronic  system  in  sufficient  detail  to  calculate 
the  particular  dose  deposited  in  each  electronic  device,  and  to  repeat  that 
calculation  of  each  possible  exposure  orientation  and  spectrum,  would  be  an 
expensive  proposition.  Instead,  it  is  customary  to  use  worst  case  values 
(e.g.  the  dose  at  devices  located  at  the  surface  of  the  electronics 
assembly)  to  establish  satisfactory  operation.  In  effect,  this  approach 
neglects  the  shielding  that  is  provided  by  other  electronic  devices,  at 
least  for  some  exposure  orientations,  but  includes  the  shielding  provided  by 
the  enclosure  and  deliberate  overall  shields.  The  problem  of  calculating 
the  dose  as  a  function  of  spectrum,  or  at  least  the  worst  case  dose  (usually 
associated  with  the  hottest  spectrum)  is  considerably  simplified  by  using 
this  single  worst  case  dose.  However,  there  is  a  penalty  to  this  approach: 
the  electronics  must  be  sufficiently  tolerant  of  the  exposure  that  any 
device  could  perform  its  function  in  spite  of  this  dose,  even  those  that  are 
fortunate  enough  to  be  located  inside  the  electronics  assembly  where  they 
receive  additional  shielding  from  other  devices.  This  approach  could  lead 
to  unnecessary  hardening.  In  that  case,  it  would  be  better  to  consider 
those  devices  that  are  located  more  deeply  in  the  electronics  assembly 
separate  from  the  ones  near  to  a  surface,  and  perform  two  calculations  of 
worst-case  dose:  one  that  applies  to  the  set  of  devices  near  the  surface  and 
another  for  the  more  heavily  shielded  devices.  It  might  even  be  prudent  to 
incorporate  a  deliberate  extra  shield  for  some  particularly  sensitive 


devices,  and  a  special  calculation  applies  to  them.  In  this  case,  the  elec¬ 
tronics  has  been  partitioned  into  three  zones  for  purpose  of  X-ray  dose 
calculations.  Each  device  is  assigned  to  one  of  these  zones,  and  its 
response  is  evaluated  with  respect  to  the  worst-  case  dose  in  that  zone. 
The  developer  has  the  option  of  defining  as  few  or  as  many  zones  as  he 
chooses:  the  more  zones  provides  the  ability  to  have  less  margin  between 
device  tolerance  and  actual  exposure  at  the  expense  of  additional  calcula¬ 
tions.  Fewer  zones  decrease  the  validation  cost,  but  at  the  expense  of 
additional  dose  tolerance  margins  for  those  devices  that  are  more  heavily 
shielded  than  the  worst-case  members  of  their  zone. 

The  same  approach  applies  to  other  excitations.  It  is  usually 
trivial  for  gammas  and  neutrons,  because  the  shielding  provided  by  typical 
electronics  for  these  high-energy  particles  is  little  enough  that  it  rarely 
justifies  using  more  than  one  zone.  It  is  particularly  important  for  EMP 
excitations,  because  there  the  zones  are  determined  by  a  combination  of 
radiation  shielding  (for  lEMP  type  excitations)  and  electrical  shielding. 
There  are  some  natural  barriers  between  zones,  which  contribute  greatly  to 
EMP  protection  at  relatively  little  cost.  Those  barriers  almost  certainly 
need  to  divide  different  zones.  Consider  a  typical  electronics  system  con¬ 
sisting  of  a  number  of  chassis  located  inside  a  room  with  cabling  extending 
between  chassis  and  to  the  outside  world.  The  room  itself  provides  some 
protection  from  the  externally  imposed  EMP  field,  and  the  excitation  of  the 
conductors  external  to  the  building  is  much  greater  than  any  internal  exci¬ 
tation.  Therefore,  separating  the  external  cable  excitation  from  the  inter¬ 
nal  cable  excitation  is  fruitful.  If,  in  addition,  some  interface  protec¬ 
tion  is  applied  where  the  conductors  penetrate  the  building  wall,  a  consid¬ 
erable  reduction  can  be  achieved.  The  same  argument  applies  at  the  elec¬ 
tronics  enclosures,  which  are  usually  metal  boxes  with  a  considerable  elec¬ 
trical  shielding  effectiveness.  Not  only  are  the  fields  inside  the  boxes 
much  less  than  outside,  the  length  of  wiring  with  which  the  fields  can 
interact  inside  the  boxes  is  also  much  less  than  the  inter-box  wiring.  Fur¬ 
thermore,  if  some  of  the  cabling  happens  to  be  shielded,  it's  prudent  to 


define  an  excitation  zone  inside  the  shield  separate  from  the  outside.  This 
example  illustrates  the  motivation  for  adding  zones:  additional  zones  are 
worthwhile  when  the  barrier  between  them  contributes  a  significant  reduction 
in  stress.  On  the  other  hand,  it's  possible  that  the  electronics  has  been 
designed  with  enough  margin  that  the  extra  barriers  are  not  needed  for  EMP 
protection.  In  that  case,  the  extra  zones  are  not  needed  in  the  validation. 

Thus  we  again  see  that  having  relatively  few  zones  is  desirable 
for  simplicity,  but  where  additional  zones  contribute  significantly  to 
achieving  hardness  at  less  cost  they  are  justified.  Again  there  is  an  easy 
way  to  incorporate  this  approach  into  the  legalistic  contractual  procedures: 
the  developer  has  the  option  to  define  as  few  or  as  many  zones  as  he  wishes 
as  long  as  within  each  zone  the  excitation  at  any  point  is  assumed  to  be  as 
much  as  the  worst-case  excitation  within  that  zone  for  the  worst-case  expo¬ 
sure  condition. 

The  zonal  method  also  merges  well  with  the  Hierarchical  approach. 
In  practice,  the  developer  would  start  performing  the  validation  tasks 
assuming  relatively  few  zones  for  each  type  of  excitation.  Where  the  mar¬ 
gins  permit  him  to  derive  a  satisfactory  conclusion,  no  further  work  is 
required.  Where  the  conclusion  is  unacceptable,  additional  zones  can  be 
defined  as  well  as  additional  refinements  in  the  validation  analysis  or  test 
method.  Presumably,  this  process  will  lead  to  an  acceptable  conclusion;  if 
not,  redesign  is  required.  It  is  the  responsibility  of  the  developer  to 
have  created  a  design  for  which  this  process  converges.  There  is  no  escape, 
such  as  stopping  short  of  an  acceptable  answer  when  money  or  time  run  out. 

2.7  EFFECT  OF  MARGINS  ON  HARDNESS  ASSURANCE/MAINTENANCE/SURVEILLANCE. 

The  previous  subsections  have  illustrated  a  recommended  relation¬ 
ship  between  design  margins  and  the  complexity  of  hardness  validation 
methods  (e.g.,  analysis/test,  number  of  zones).  There  is  also  an  effect  on 


steps  in  hardness  management  beyond  hardness  validation:  hardness  assur¬ 
ance,  maintenance  and  surveillance  (HAMS).  This  relationship  was  proposed 
in  the  pioneering  work  of  Patrick  and  Ferry,  AFWL-TR-76-147,  and  has  been 
applied  to  a  number  of  subsequent  electronic  systems  developments.  In 
effect,  the  philosophy  is  that  larger  margins  allow  less  concern  about  HAMS. 

Design  Margins  when  applied  to  electronic  components  result  in 
their  allocation  to  various  Hardness  Critical  Categories  (HCC),  each  of 
which  carries  with  it  testing  requirements  of  varying  degrees  of  complexity 
and  cost.  The  definition  of  design  margins,  as  applied  in  the  categoriza¬ 
tion  process  has,  therefore,  a  major  impact  upon  costs  during  design,  pro¬ 
duction  and  maintenance. 

Two  different  part  categorization  methods  have  come  into  use:  the 
Design  Margin  Break  Point  (DMBP)  method,  and  what  we  will  call  the  Part 
Failure  Budget  Method  (PFB)  method. 

The  first  of  these  is  applicable  to  systems  with  moderate  require¬ 
ments  and  involves  the  application  of  a  discrete  set  of  categorization  cri¬ 
terion  to  all  parts  of  the  system.  The  basic  assumption  involved  is  that 
even  under  worst-case  conditions,  the  moderate  system  requirements  can  be 
easily  met.  The  DMBP  method  is  intended  to  greatly  simplify  Hardness  Assur¬ 
ance  Design  Documentation  (HADD)  by  the  application  of  a  single  simple  rule 
to  all  parts  of  the  system.  It  has  the  disadvantage  of  leading  to  overde¬ 
sign  in  some  cases  with  a  large  number  of  parts  being  assigned  to  the  more 
critical  part  categories  and  therefore  requiring  expensive  test  procedures. 
This  method  has  been  used  by  both  the  Air  Force  and  the  Army. 

The  Part  Categorization  Criteria  method  is  designed  for  applica¬ 
tion  to  systems  with  higher  level  requirements.  In  this  case  separate  cate¬ 
gorization  criteria  are  applied  to  each  part  type.  The  FCC  approach  can 


lead  to  substantially  fewer  parts  being  assigned  to  the  most  critical  cate¬ 
gory  with  a  consequent  reduction  in  testing  requirements  and  reduced  costs 
over  the  life  cycle  of  the  system.  The  disadvantage  is  complication  of  the 
HADD  because  each  part  could  have  a  different  categorization. 

2.7.1  Design  Margin  Break  Point  Method. 

In  my  DMBP  method  a  single  set  of  design  margins  is  defined  for  a 
given  effect  and  a  large  family  of  part  types.  The  margins  must  be  large 
enough  to  compensate  for  the  worst  variations  that  could  be  encountered  in 
the  family. 

The  design  margin  is  defined  in  terms  of  mean  values  at  the  radia¬ 
tion  specification  level  for  the  system  and  at  the  failure  level  of  the  part 
type.  For  example,  it  is  common  practice  to  define  the  design  margin  in 
terms  of  failure  fluence  or  dose  versus  specification  level  e.g., 

"  ‘^FAIL  ^“^SPEC  °°^®FAIL^  ^°^®SP£C 

The  results  obtained  are  then  compared  to  preassigned  values  used 
to  categorize  the  parts  e.g.,  those  shown  in  Table  1. 

Table  1.  Example  of  parts  categories. 

Category  Action 

Unacceptable  Redesign 

HCC  I 
HCC  II 
Non  Critica 


Design  Margin 
D.M.  <  2.0 
2.0  <D.M.<10 
10  <  D.M. <100 
100  <D.M.<1000 
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Unfortunately  a  variety  of  design  margin  definitions  have  appeared 
in  the  literature.  The  definitions  are  not  consistent  and  recent  official 
documentation  (e.g.,  MIL-HOBK-279)  has  not  adequately  distinguished  between 
the  different  definitions.  Costly  errors  and  misunderstandings  can  result 
as  pointed  out  in  Appendix  A. 


An  alternative  to  defining  design  margins  in  terms  of  environ¬ 
mental  levels  is  to  use  device  parameter  values 


D.M.  = 


where  is  assigned  on  the  basis  of  a  worst  case-circuit  analysis  and 

PARsp^C  determined  experimentally  by  exposing  a  sample  of  parts  to  the 
specified  radiation  limit.  In  the  past,  it  has  not  been  stressed  suffi¬ 
ciently  that  the  approach  using  device  parameter  values  will  only  yield 
results  that  are  consistent  with  the  environmental  definition  when  the 
device  response  is  strictly  proportional  to  environmental  exposure. 
Unfortunately,  cases  where  this  condition  is  violated  are  more  frequent  than 
those  where  it  applies,  especially  in  complex  microcircuits.  The  result  can 
lead  to  considerable  confusion. 


Another  problem  in  applying  this  method  in  the  past  is  that  assign¬ 
ment  of  values  to  the  design  margin  break  points  were  influenced  more  by  the 
effect  on  design  (i.e.,  how  much  margin  could  be  tolerated  without  signifi¬ 
cant  effect  on  equipment  design)  than  by  the  underlying  variations  in  part 
response  that  the  margins  is  to  compensate  for.  For  example,  a  smaller  mar¬ 
gin  is  sometimes  assigned  to  total  dose  levels  than  to  neutron  fluences, 
even  though  the  variations  in  semiconductor  device  response  is  usually  lar¬ 
ger  for  the  long-term  ionization  effect. 


'  ■  N" 


In  the  PFB  method  the  failure  budget  for  the  system  for  each 
effect  is  distributed  among  all  the  parts  in  a  manner  such  as  to  minimize 
the  overall  hardening  and  HAMS  cost.  For  each  part  type  the  validation  and 
HAMS  activities  are  then  chosen  to  control  the  part  contribution  to  overall 
system  failure  to  be  within  its  budget.  Since  the  individual  part  contribu¬ 
tions  to  a  realistic  system  failure  budget  must  be  very  small,  a  form  for 
the  underlying  statistical  distribution  must  be  assumed  to  yield  useful 
results  at  reasonable  costs  (i.e.,  we  must  use  parameteric  statistics). 

As  applied,  the  statistical  approach  assumes  that  the  radiation 
results  on  components  can  be  satisfactorily  described  by  a  lognormal  distri¬ 
bution  (see  Appendix  B).  In  this  statistical  treatment  the  old  definition 
of  design  margin  is  retained.  However,  the  part  categorization  assigned  is 
made  contingent  upon  the  degree  of  variability  for  the  part  type  and  its 
consistency  with  the  failure  budged  assigned  to  the  part.  The  problem  of 
nonlinearity  in  device  response  still  leads  to  discrepancies  when  categori¬ 
zation  is  based  upon  parameter  ratios  rather  than  the  ratio  between  environ¬ 
mental  failure  and  specification  levels. 
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SECTION  3 

METHODOLOGY  EXAMPLES 


3.1  INTRODUCTION. 

In  this  Section  we  will  attenpt  to  demonstrate  the  practicality  of 
the  recommended  approach  by  outlining  two  sample  methodologies:  EMP  Hard¬ 
ness  Validation  and  TREE  Hardness  Validation,  both  for  typical  tactical  Army 
applications. 

3.2  EMP  HARDNESS  VALIDATION. 

The  Inputs  for  EMP  hardness  validation  of  an  electronics  system 

are: 


1.  One  or  more  specified  EMP  environments,  generally  In  the  form 
of  a  waveform  or  frequency  spectrum  for  a  TEM  free-fleld 
radiation  Incident  on  the  system. 

2.  A  definition  of  what  constitutes  acceptable  operation  by  the 
electronics  system. 

3.  A  description  of  the  system,  and  possibly  one  or  more  systems 
or  subsystems  for  Inspection  and/or  testing. 

The  outputs  of  the  validation  task  are: 


I 

4 


I 

I 

I 


1.  A  conclusion.  If  warranted,  that  the  system,  as  designed  and 
constructed,  will  perform  as  required  In  spite  of  single  or 
specified  multiple  exposures  to  the  EMP  environments. 

2.  Identification  of  those  elements  of  the  design  whose  margins 
are  Insufficient  to  assure  continued  hardness  during  serial 
production  or  routine  operation  and  maintenance. 

As  stated,  the  outputs  do  not  require  a  fragility  curve:  I.e.  the  relation 
between  probability  of  malfunction  and  the  level  of  EMP  environment.  This 
would  be  a  different  requirement,  which  requires  different  methods  to  sat* 
Isfy,  than  strictly  hardness  validation.  It's  to  be  emphasized  that  hard¬ 
ness  validation,  as  defined,  Is  an  asymmetrical  objective:  1t‘s  only 
required  that  the  system  perform  satisfactorily  at  a  given  stress  level. 
It's  not  necessary  to  determine  the  level  at  which  It  will  fall.  Uncertain¬ 
ties  In  the  analysis  can  be  resolved  by  a  conservative  approach  (I.e.  worst 
casing).  This  cannot  be  done  If  a  fragility  curve  Is  required.  It  demands 
a  symmetrical  approach,  with  uncertainty  bands  superimposed.  For  this  rea¬ 
son,  deriving  a  fragility  curve  can  be  a  much  more  difficult  and  expensive 
undertaking  than  hardness  validation. 

This  approach  also  has  Its  counterparts  In  other  disciplines. 
Systems  do  not  usually  require  a  fragility  curve  with  respect  to  shock  and 
vibration,  only  a  validation  at  specified  excitation  levels. 

The  validation  process  may  Include  analyses  and  tests.  The  analy¬ 
ses  and  tests  may  be  simple  or  complex.  The  goal  Is  to  achieve  the  required 
outputs  at  the  minimum  expenditure  of  resources.  The  asymmetric  approach 
promotes  this:  the  methods  are  applied  In  a  step-wise  manner.  If  a  simple 
method  produces  the  required  result,  no  further  effort  Is  required.  This 
will  occur  particularly  when  the  design  Incorporates  a  significant  margin 
between  the  nominal  capability  and  the  requirements. 
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3.2.1  Analysis  Methods. 


The  first  step  In  hardness  validation  analysis  Is  partitioning: 
the  Interactions  leading  from  the  Incident  EMP  environment  to  the  electro¬ 
nics  response  are  partitioned  for  Individual  attention.  This  Is  done  best 
by  zoning:  defining  spatial  regions  within  each  of  which  there  Is  a  single 
worst-case  definition  of  the  EMP  stress  levels.  All  of  the  equipment  must 
be  contained  within  one  or  another  zone.  There  Is  no  other  formal  con¬ 
straint  on  the  zoning.  For  convenience,  the  zone  boundaries  usually  follow 
physical  barriers  (e.g.  conducting  surfaces)  across  which  electrical  trans¬ 
mission  Is  naturally  Inhibited. 

The  second  step  Is  establishing  worst-case  excitation  levels  for 
each  zone.  This  must  take  Into  account  the  excitation  levels  In  adjacent 
zones  and  worst-case  leakage  through  the  zone  boundaries. 

The  third  step  Is  to  bound  the  effects  of  the  worst-case  electri¬ 
cal  excitations  on  the  electronic  devices  and  circuits  located  within  each 
zone. 

Hardness  validation  testing  can  be  conducted  at  any  level  of  exci¬ 
tation  and  assembly  corresponding  to  this  view,  depending  on  the  nature  of 
the  uncertainties  that  must  be  addressed  by  testing.  Uncertainties  In  coup¬ 
ling  between  one  zone  and  another  (e.g.  between  the  externally  Incident 
field  and  Internal  wire  currents)  can  be  addressed  by  one  type  of  testing. 
Uncertainties  In  circuit  response  to  a  given  worst-case  current/voltage 
transient  on  the  Interconnecting  wiring  requires  a  different  test.  Perform¬ 
ing  a  check  on  the  analysis  by  exposing  a  realistic  system  to  a  threat-level 
simulator  Is  another  type.  The  rule  should  be  that  the  uncertainties  to  be 


In  the  following  subsections  we  will  Illustrate  the  hierarchy  of 
methods  available  to  perform  each  of  these  types  of  tasks. 

3.2.1. 1  Zoning. 

Formally,  the  methodology  requires  that  the  entire  physical  space 
occupied  by  the  system  be  divided  Into  clearly  defined  zones:  there  must  be 
no  ambiguity  as  to  which  zone  any  portion  of  the  equipment  occupies.  There 
Is  no  a  priori  specification  on  the  number  of  zones:  the  validator  can 
choose  as  few  or  as  many  as  he  wishes  to  achieve  the  objective.  The  trade¬ 
off  Is  produced  by  the  fundamental  requirement  that  for  each  zone  there  Is  a 
single  worst-case  set  of  electrical  stresses:  all  equipment  within  that 
zone  must  tolerate  those  stresses.  If  only  a  few  zones  are  defined  this  may 
force  some  equipments  to  tolerate  much  larger  levels  than  actually  required. 
If  too  many  zones  are  defined  the  complexity  of  the  analysis  Increases.  In 
principle,  this  definition  even  allows  wIre-by-wIre  circult-by-circult  ana¬ 
lysis:  each  wire  and  circuit  are  a  separate  zone.  In  practice  this  approach 
Is  costly.  Inefficient  and  unnecessary. 

Each  zone  requires  a  clear  definition  of  Its  boundary,  which  also 
defines  what  zones  are  adjacent  to  It.  If  two  zones  are  defined  so  that 
there  Is  an  electrically  transparent  boundary  between  them,  the  worst  case 
excitation  levels  can  not  be  much  different  In  the  two  zones,  and  not  much 
Is  gained  by  defining  separate  zones  rather  than  combining  them  Into  one. 
This  argues  for  defining  the  zone  boundary  at  naturally  occurring  electri¬ 
cally  attenuating  surfaces  (e.g.  conducting  layers). 

In  systems  subjected  to  the  external  EMP  radiation,  one  of  the 
zones  should  always  consist  of  the  exterior  of  the  system:  I.e.  the  region 
In  which  the  Incident  field  Is  specified  and  Interacts  with  the  exterior 
enclosure,  and  earth  If  appropriate.  As  a  minimum,  normally  a  minimum  of 
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two  other  zones  would  be  defined:  one  for  the  Interior  of  the  overall  enclo¬ 
sure  (e.g.  building  or  missile  skin)  and  one  for  the  Interior  of  electronics 
boxes.  Additional  zones  would  be  defined  as  needed,  e.g.  to  distinguish 
between  spatial  regions  In  which  the  electrical  excitation  Is  significantly 
different  (such  as  ones  near  or  far  from  dominant  penetrations),  or  to  dis¬ 
tinguish  between  different  levels  of  electrical  protection. 

The  topology  of  the  zones  can  be  complex  If  necessary.  For  exam¬ 
ple,  If  a  particular  physical  region  contains  both  unshielded  and  shielded 
cables.  It  may  be  prudent  to  define  a  separate  zone  for  the  Interiors  of  the 
cable  shields.  This  allows  the  currents  and  voltages  on  the  Inner  conduc¬ 
tors  of  the  shielded  cables  to  be  smaller  than  the  excitations  of  the 
unshielded  conductors  or  the  shields  on  the  shielded  cables.  In  some  cases, 
the  zone  Inside  the  cable  shields  may  be  an  extension  of  the  zone  Inside 
electronics  boxes  connected  to  the  cables. 

Across  each  boundary  between  zones,  all  means  by  which  electrical 
energy  can  penetrate  must  be  Identified.  Normally,  this  Includes  the  natu¬ 
ral  attenuation  of  the  layer  (as  a  function  of  frequency,  of  course)  as  well 
as  the  transmission  characteristics  of  Imperfections  In  the  layer  (e.g. 
apertures,  seams.  Insulated  conductors). 

Conventional  EMP  hardness  analysis  follows  this  approach,  more  or 
less.  What  needs  to  be  added  Is  a  degree  of  formality:  specific  definition 
of  the  zones,  the  equipments  within  each,  and  the  penetrations  between  them. 

3. 2. 1.2  Zone  Stresses. 

The  next  step  In  the  analysis  Is  to  establish  appropriate  worst- 
case  electrical  stresses  for  each  zone.  These  stresses  Include  electric  and 
magnetic  fields,  which  may  couple  to  conductors  and  excite  barriers  to  adja¬ 
cent  zones,  as  well  as  currents/voltages  on  conductors.  In  both  cases  the 
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frequency  spectrum  of  the  excitations  are  important,  or  at  least  some 
characterization  of  excitations  within  ranges  of  frequencies.  The  control¬ 
ling  requirement  is  that  the  derived  stress  levels  represent  the  worst  cases 
to  be  encountered  within  the  entire  zone.  If  it's  necessary  to  make  an 
exception  of  a  subset  of  the  space  or  of  some  conductors  in  the  zone,  these 
become  part  of  a  separate  zone. 

The  methods  by  which  these  stresses  are  derived  range  from  simple 
estimates  to  complex  computer  calculations,  each  with  a  corresponding  margin 
applied  to  compensate  for  uncertainties.  The  excitations  for  each  zone  con¬ 
sist  of  : 

1.  The  currents  and  charges  (i.e.  magnetic  and  electric  fields) 
on  the  outside  of  the  boundary  surfaces  between  the  zone  and 
adjacent  zones. 

2.  The  magnetic  and  electric  fields  in  apertures  through  the 
boundary  surface. 

3.  The  currents  and  voltages  on  conductors  that  penetrate 
through  the  boundary  surface. 

Usually,  the  only  excitations  that  need  to  be  addressed  are  those 
applied  to  the  zone  by  zones  in  which  the  stress  levels  are  larger  than  the 
selected  zone  stress  levels. 

Translating  the  adjacent-zone  excitations  into  the  selected  zone 
excitations  requires  consideration  of  intervening  protective  layers  or 
devices.  The  detail  to  which  those  layers/devices  need  to  be  modeled 
depends  on  the  degree  of  protection  required.  For  example,  a  conducting  box 
can  assure  at  least  40  dB  of  magnetic  shielding  near  10  MHz,  even  if  it's 
not  provided  with  special  gasketing  and  it  includes  small  apertures.  If 
much  larger  shielding  effectiveness  is  required,  the  details  of  the  aper¬ 
tures  and  seams  may  have  to  be  considered  to  draw  a  valid  conclusion. 


Conductors  that  penetrate  from  one  zone  to  another  are  a  particu¬ 
larly  Important  source  of  excitation:  both  by  conducting  electrical  signals 
to  electronic  devices  and  by  generating  magnetic  (mostly)  and  electric 
fields  inside  the  inner  zone.  If  conductors  penetrate  directly  from  one 
zone  to  another,  without  encountering  a  protective  device  (e.g.  limiter, 
filter),  the  worst-case  conductor  excitation  must  be  the  same  for  both 
zones.  It's  also  likely  that  the  electric  and  magnetic  field  excitation  of 
the  Inner  zone  are  determined  by  the  penetrating  conductors.  For  many 
applications,  the  excitations  levels  for  the  two  zones  would  become  the 
same,  and  there  Is  no  advantage  to  separating  them  by  an  Ineffective  bar¬ 
rier:  I.e.  the  two  zones  could  more  easily  be  treated  as  one. 

If  there  are  protective  devices  on  the  conductors  at  the  Interface 
between  zones,  the  characteristics  of  the  devices  and  their  Installation 
determine  their  worst-case  transfer  function.  Again,  If  high  levels  of  Iso¬ 
lation  are  required,  small  details  of  their  construction  and  Installation 
may  be  Important  (e.g.  the  length  of  the  wires  on  a  voltage  limiter  deter¬ 
mine  the  Inductance  In  series  with  the  limiter  and  may  degrade  the  high- 
frequency  (I.e.  fast-rise)  response.  Again,  the  sophistication  of  the 
modeling  and  analysis  method  Is  determined  by  the  degree  of  Isolation 
required. 

3.2. 1.3  Equipment  Response. 

The  zone  stresses  established  above  Include  bounds  for  all  the 
relevant  stresses  within  a  particular  zone,  I.e.  Including  voltages  and  cur¬ 
rents  (as  a  function  of  frequency  or  time)  on  all  the  conductors  leading  to 
electronic  devices.  The  next  step  Is  to  determine  whether  these  stresses 
can  be  tolerated  by  the  devices  and  circuits,  I.e.  whether  the  equipment 
will  continue  to  perform  Its  required  function  In  spite  of  exposure  to  the 
stresses.  This  analysis  Is  best  separated  into  two  parts:  damage  and 
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upset.  The  damage  analysis  addresses  the  possibility  that  Individual  elec¬ 
tronic  devices  may  suffer  permanent  degradation  In  performance  characteris¬ 
tics  as  a  result  of  the  stresses.  The  upset  analysis  addresses  the  possibi¬ 
lity  that  the  electronics  function  can  be  disturbed  without  permanently  dam¬ 
aging  any  device. 

a.  Damage  Analysis. 

The  specifications  for  each  electronic  device  Include  the  range  of 
electrical  parameters  (e.g.  voltage  and  current)  over  which  the  device  Is 
designed  to  function.  For  example,  transistor  specifications  Include 
and  BVjjgQ  ,  the  minimum  values  of  the  collector-emitter  and  collector-base 
voltages,  respectively,  at  which  breakdown  could  occur.  These  values  do  not 
Imply  that  breakdown  will  occur  at  these  voltages,  only  that  they  won't 
occur  at  lesser  voltages.  Similarly,  there  are  usually  specifications  on 
maximum  steady-state  power  dissipation  or  maximum  emitter  current.  For  com¬ 
plex  microcircuits  the  maximum  values  are  usually  simpler:  maximum  values 
of  the  power  supply  voltage  and  the  requirement  that  all  terminal  voltages 
remain  between  the  most  positive  and  most  negative  power  supply  voltages. 
The  key  point  of  these  specifications  Is  that  they  are  not  subject  to  the 
type  of  statistical  variations  experienced  In  testing  semiconductor  devices 
for  electrical  damage  threshold.  These  limits  are  maintained  by  normal  pro¬ 
cess  control,  and  can  be  used  with  confidence  for  the  entire  population  of 
devices.  Prudent  design  cautions  engineers  to  maintain  some  margin  In 
actual  applications  to  allow  for  other  variables,  e.g.  temperature,  ageing, 
power  fluctuations.  However,  It's  reasonably  safe  to  assume  that  EMP  Induc¬ 
ed  transients  that,  combined  with  normal  operating  voltages,  do  not  exceed 
these  specifications  will  not  damage  the  devices.  This  Is  the  first  level 
of  analysis:  determine  whether  the  upper-bound  transients  in  a  zone  are 
within  the  rated  maximum  stresses  for  the  devices. 


The  next  level  In  the  analysis  hierarchy  assumes  that  transients 
that  exceed  the  normal  ratings  for  long-term  stresses  can  be  tolerated  to 
some  degree  under  short-term  excitation.  In  other  words,  semiconductor 


junctions  can  be  driven  Into  Zener  or  avalanche  breakdown  without  permanent 
damage,  as  long  as  the  duration  of  the  excitation  Is  short  enough.  This  Is 
the  subject  addressed  by  most  research  on  EMP  effects  on  electronic  devices. 
It  is  within  this  realm  of  excitation  that  wide  statistical  variations  have 
been  reported.  The  difficulty  has  been  attributed  to  the  creation  of  narrow 
current  filaments  within  a  device  by  Instability  mechanisms.  It  Is  reason¬ 
able  to  assume  that  damage  to  an  electronic  device  will  only  be  produced  If 
the  temperature  In  some  part  of  that  device  exceeds  a  threshold  value.  If  a 
large  volume  Is  heated  simultaneously  by  the  excitation  the  energy  required 
Is  large;  If  only  a  small  filament  Is  heated,  failure  can  be  produced  by 
much  less  energy.  For  longer  pulses  there  Is  an  Inherent  limit  to  the 
heated  volume:  the  dimensions  are  at  least  as  large  as  the  thermal  diffu¬ 
sion  length.  This  line  of  thought  was  developed  Into  a  prediction  method 
for  a  lower  limit  on  the  damage  threshold  of  semiconductor  junctions 
(Ref.  1). 

Other  methods  of  establishing  analytical  bounds  on  the  tolerance 
of  electronic  devices  to  electrical  overstress  have  used  experimental  data, 
adding  margins  for  statistical  variations,  and  have  used  device  specifica¬ 
tion  sheet  data,  also  with  margins  to  compensate  for  additional  uncertain¬ 
ties.  Unfortunately,  most  of  these  efforts  have  attempted  to  describe  the 
actual  failure  levels,  rather  than  concentrating  on  safe  operating  limits. 
We  believe  that  a  careful  review  of  all  these  sources  of  information  will 
reveal  that: 

1.  There  are  useful  lower  bounds  on  the  electrical  overstress 
energy  below  which  damage  Is  not  observed. 

2.  The  voltages  at  which  these  bounds  are  encountered  are  not 
very  much  larger  (I.e.  not  by  more  than  a  factor  of  2)  than 
the  rated  maximum  operating  voltages  1n  complex  microcir¬ 
cuits. 

1.  van  Lint,  V.A.J.  and  R.E.  Leadon,"  Hardness  Assurance  Implications  of 
Variations  In  Junction  Burnout",  Vol.  NS-24,  No.  6.  2084  (1977). 
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The  implication  of  these  statements  is  that  the  safest  approach  is  to  limit 
the  stresses  to  the  electrical  specifications.  The  next  safest  approach  is 
to  use  a  conservative  analytical  bound  on  the  allowable  overstress  energy. 
Beyond  this  point,  the  only  reasonable  recourse  is  an  ongoing  program  of 
device  sample  testing,  with  all  the  accompanying  implications  of  hardness 
assurance,  maintenance  and  surveillance.  Clearly  such  cases  should  be 
limited  to  special  needs. 


Another  implication  of  this  approach  is  that  the  insertion  of 
voltage  limiters  at  the  interfaces  between  the  internal  and  external  wiring 
is  a  particularly  powerful  hardening  method.  These  devices  can  clamp  the 
transients  at  levels  intermediate  between  normal  signal  voltages  and  the 
breakdown  ratings  of  the  devices  inside  the  electronics  box. 


b. 


Upset. 


Upset  is  more  difficult  to  deal  with  in  general,  because  the 
stresses  that  can  produce  functional  upset  are  within  the  range  of  normal 
operating  parameters.  For  example,  a  digital  logic  circuit  that  changes 
state  when  the  input  voltage  changes  from  0  to  5  V  will  do  so  whether  the 
change  is  produced  by  an  upstream  circuit  or  by  an  EMP-induced  transient. 


Therefore,  the  hierarchy  for  upset  analysis  follows  a  different 
route  than  damage  analysis.  The  first  step  is  the  same:  determine  whether 
the  upper-bound  transients  are  large  enough  to  cause  any  recognizable  dis¬ 
turbance.  Instead  of  comparing  the  transients  with  breakdown  voltages,  they 
are  now  compared  with  noise  margins  (e.g.  typically  1  V  for  TTL  circuits). 
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Unless  the  external  protection  has  been  very  thorough,  the  result  will  be 
that  such  disturbances  are  possible,  not  only  in  circuits  connected  to 
wiring  leading  out  of  the  electronics  boxes,  but  also  induced  inductively 
into  wiring  inside  the  electronics  box. 

The  most  powerful  analysis  technique  for  eliminating  upset  modes 
is  functional  analysis  of  the  electronics.  The  nature  of  the  electronics 
function  and  how  it  accomplishes  it  frequently  eliminates  most  upset  con¬ 
cerns.  The  following  examples  illustrate  this  point. 

Most  electronic  subsystems  are  designed  to  perform  a  function  that 
is  inherently  slow  on  an  EMP  time  scale:  e.g.  missile  steering,  voice  commu¬ 
nication,  navigation.  The  output  circuits  that  actually  command  the  func¬ 
tion  are  usually  slow:  a  short  lived  transient  is  hardly  noticeable.  How¬ 
ever,  the  determination  of  the  function  is  sometimes  performed  by  faster 
circuits  (e.g.  a  digital  computer).  Even  then,  the  input  data  used  by  the 
computer  may  also  be  relatively  slow  (e.g.  accelerometer  inputs).  Moreover, 
a  major  portion  of  the  electronics  is  the  power  supply,  in  which  large  capa¬ 
citors  are  used  to  stabilize  the  output.  A  priori,  this  description  leads 
naturally  to  the  principal  suspect  for  upset:  the  digital  computer,  or,  more 
generally,  digital  circuits. 

Even  digital  circuits  don’t  necessarily  imply  upset  susceptibi¬ 
lity.  Consider  a  digital  gate  network,  in  which  the  output  at  any  instant 
is  determined  by  the  state  of  all  the  inputs.  If  the  inputs  are  controlled 
by  slow  actions,  and  the  output  only  affects  slow  circuits,  the  transient 
disturbance  will  go  unnoticed.  On  the  other  hand,  if  the  network  includes 
latching  devices  (e.g.  flip-flops  or  memory  cells),  the  state  in  which  the 
circuits  are  left  after  the  transient  may  be  different  than  the  state  in 
which  it  started,  and  malfunction  is  possible. 


Sometimes,  even  in  memory  circuits,  upset  is  not  produced  by  tran¬ 
sients.  For  example,  a  common  practice  in  issuing  discrete  commands  is  for 
a  circuit  to  perform  a  given  operation  a  number  of  times  (e.g.  3)  before  the 
result  is  accepted  and  acted  on.  The  likelihood  of  three  EMP  exposures  pro¬ 
ducing  the  same  affect  at  the  required  time  intervals  is  negligible.  There¬ 
fore,  the  more  likely  failure  is  that  the  EMP  disturbed  the  Issuance  of  the 
discrete  if  it  occurred  during  the  correct  small  time  window.  This  illu¬ 
strates  an  important  aspect  of  upset:  many  electronic  subsystems  have  small 
windows  in  which  they  may  be  particularly  susceptible  to  upset.  The  system 
specifications  must  address  the  tolerance  level  for  such  windows. 

Finally,  there  is  the  digital  processor.  It's  clear  that  a  gene¬ 
ral  purpose  digital  processor  is  likely  to  be  disturbed  unacceptably  if 
logic  level  signals  (>1  V)  with  durations  comparable  to  clock  pulses  (gene¬ 
rally  fractions  of  a  microsecond  in  high  speed  computers,  slower  in  some 
special  purpose  machines)  are  inserted  into  their  internal  wiring.  Specific 
hardening  Is  still  possible  (e.g.  by  active  circumvention),  but  is  not 
likely  to  be  found  in  Army  tactical  equipments.  Clearly,  the  first  line  of 
defense  in  this  case  is  to  suppress  the  transients  below  the  noise  margin  of 
the  circuits.  This  clearly  cannot  be  done  with  voltage-limiting  devices  at 
the  interfaces:  normal  operating  signals  will  exceed  the  noise  margins.  It 
can  be  done  with  filters,  if  the  frequency  spectrum  of  normal  operating  sig¬ 
nals  is  much  different  (higher,  as  in  radios,  or  lower,  as  in  power  and  slow 
signals)  than  the  EMP-induced  transients. 

This  discussion  is  not  to  imply  that  upset  analysis  is  easy;  it  is 
not,  and  there  are  an  enormous  number  of  special  cases.  The  discussion  is 
intended  to  imply  that  such  analysis,  intelligently  approached,  is  practi¬ 
cal.  It  also  illustrates  that  the  approach  is  different  than  damage  analy¬ 
sis:  it  takes  an  electronics  functional  point  of  view  rather  than  a  device 
point  of  view. 


3.2.2  Testing. 


EMP  hardness  validation  testing  has  more  options  than  analysis. 
It  can  cover  either  the  same  partitioned  subjects  discussed  above,  or  it  can 
combine  a  number  of  them.  There  are  two  fundamental  choices  in  a  test:  the 
excitation  and  the  diagnostics.  Overlaying  this  choice  is  the  matter  of 
excitation  level:  for  linear  interactions  the  excitation  can  be  any  level 
that  provides  adequate  signal  compared  to  noise  in  the  diagnostics.  For 
nonlinear  problems,  the  excitation  must  be  related  to  the  realistic 
stresses. 

A  prudent  means  of  test  planning  is  to  decide  first  the  nature  of 
the  uncertainties  to  be  resolved  by  the  test.  This  is  best  done  within  the 
context  of  the  analysis.  Examples  are: 

1.  There  is  insufficient  margin  available  to  use  a  simple  coup¬ 
ling  bound.  Therefore,  an  accurate  measure  of  the  coupling 
across  one  or  more  zone  boundaries  is  required. 

2.  There  is  insufficient  margin  available  to  use  generic  device 
susceptibility  thresholds.  Therefore,  statistically  valid 
data  on  particular  devices  is  required. 

3.  Additional  confidence  in  the  upset  analysis  is  required, 
because  there  are  so  many  possible  upset  modes. 

4.  High  confidence  in  the  hardness  of  a  few  critical  equipments 
is  required.  An  integrated  test  would  provide  confidence 
that  the  analysis  has  not  overlooked  a  critical  issue. 

Each  of  these  uncertainties  leads  to  a  different  type  of  test. 


1.  A  low-level  coupling  test,  perhaps  swept  CW,  to  measure  the 
frequency  characteristics  of  the  dominant  coupling  mecha¬ 
nisms. 

2.  A  step- stress- to- damage  test  on  a  large  lot  of  each  device 
type. 

3.  An  electrical  Injection  test  on  the  electronics  box  with  rea¬ 
listic  waveforms,  probably  with  breakout  boxes  at  the  cable 
connectors. 

4.  A  realistic  free-fleld  EMP  Illumination  of  the  electronics 
and  associated  structure,  combining  both  electronics  func¬ 
tional  diagnostics  and  selected  Internal  excitation  measure¬ 
ments. 

It's  apparent  from  the  foregoing  example,  that  there  Is  a  tradeoff 
between  analysis  and  tests,  and  between  test  complexity,  cost  and  realism. 
As  before  In  the  case  of  analysis,  the  existence  of  margins  In  the  design 
will  allow  simpler  test  to  suffice. 

3. 2. 2.1  Excitations. 

The  choice  of  test  excitations  requires  first  the  determination  of 
excitation  level  requirements.  If  the  assumption  of  linear  response  Is 
acceptable,  more  options  are  available.  If  this  assumption  Is  not  accept¬ 
able,  the  excitations  are  limited  to  those  that  are  sufficiently  realistic 
In  both  amplitude  and  waveform.  "Sufficiently  realistic*  means  that  the 
test  margin  Is  large  enough  to  conpensate  for  the  degree  of  unrealism. 


The  simplest  threat-like  excitation  Is  the  free  field  EMP  wave¬ 
form,  which  Is  usually  contractually  specified.  Actually,  since  It's  costly 
to  reproduce,  there  are  usually  some  compromises  (e.g.  notches  in  the  fre¬ 
quency  spectrum).  The  seriousness  of  those  compromises  must  be  judged  by 
referring  to  the  analysis,  and  should  be  compensated  by  margins.  This  wave¬ 
form  Is  applicable  only  to  the  outermost  portions  of  the  structure  contain¬ 
ing  the  electronics. 

The  next  step  In  threat-like  excitations  Is  reproducing  the  curr¬ 
ents  and  electric  fields  on  the  outermost  conducting  boundary  of  the  struc¬ 
ture:  e.g.  the  skin  of  an  airplane.  At  this  point  the  waveform  Is  markedly 
different  from  the  Incident  field,  since  the  structure  has  superimposed  Its 
own  frequency  response  on  the  frequency  content  In  the  Incident  field.  The 
advantage  to  moving  to  this  level  of  assembly  Is  that  It's  much  less  costly 
in  energy  and  technology  to  reproduce  the  surface  conditions  on  a  finite 
object  than  to  produce  the  threat  fields  In  a  large  volume  of  space.  It 
requires  an  adequate  knowledge  of  the  frequency  dependent  transform  from 
free  field  to  surface  fields,  but  these  can  be  derived  from  a  combination  of 
analysis  and  low-level  coupling  measurements. 

The  next  step  In  excitation  Involves  driving  realistic  currents 
and  voltages  (e.g.  Theveni n-equivalent  sources)  on  the  cables  In  the  struc¬ 
ture.  Since  at  this  point  the  waveforms  are  distorted  even  more  by  the  fre¬ 
quency  response  of  the  complex  structure  and  cabling  topology,  the  demands 
on  analysis  and/or  low-level  coupling  experiments  are  more  severe.  However, 
the  requirements  on  the  test  facilities  become  much  less,  because  relatively 
little  energy  Is  required  to  produce  realistic  cable  excitations. 


Following  the  excitation  chain  Inwards,  we  come  to  the  wires  and 
pins  entering  electronics  boxes.  Again,  more  information  Is  needed  about 
coupling  to  define  an  adequate  test,  but  It's  easier  to  perform  the  test  at 


Finally,  there's  the  excitation  at  the  individual  electronic 
devices.  In  this  case  it's  possible  to  generate  reasonable  statistical 
data,  and  to  use  semi-empirical  scaling  relations  to  convert  data  for  dif¬ 
ferent  pulse  waveforms. 

b.  Excitations  for  Linear  Problems. 

Once  linearity  can  be  assumed  the  range  of  possible  excitations 
expands,  as  does  the  general izability  of  the  test  results.  This  gain  is  the 
result  of  the  superposition  theorem  for  linear  problems:  not  only  can  we 
scale  the  results  in  amplitude  by  simple  multiplication,  we  can  add  the 
results  of  different  excitations  algebraically.  This  theorem  is  particu¬ 
larly  valuable  with  respect  to  waveforms.  The  result  of  a  given  excitation 
can  be  analyzed  into  its  frequency  components  (e.g.  by  Fourier  analysis), 
and  the  results  of  different  excitations  can  be  synthesized  from  those  com¬ 
ponents  (e.g.  by  Fourier  synthesis). 

In  the  linear  regime,  there  are  two  types  of  excitation  choices: 
excitation  waveform  and  excitation  level.  Both  of  these  are  determined  by 
the  same  important  criterion:  signal  compared  to  noise.  High  signal/noise 
ratios  are  required  if  detailed  Fourier  analysis  and  synthesis  are  to  be 
performed.  Therefore,  the  excitation  must  be  high  enough,  and  the  diagnos¬ 
tic  instrumentation  clean  enough,  to  provide  the  needed  signal/noise  ratio. 

Three  types  of  excitation  waveforms  are  frequently  used: 

1.  Continuous  wave  at  various  discrete  frequency  (e.g.  swept 
CW). 

2.  Step  function  pulse,  single  or  repetitive. 

3.  Damped  sine  wave  pulse  at  various  center  frequencies. 


The  first  technique  enables  measurements  to  be  made  with  high  sig¬ 
nal/noise  ratio  using  lock-i-  type  detector  systems.  It  is  time  consuming, 
since  the  frequency  intervals  between  measurements  should  be  small  enough  to 
avoid  overlooking  any  important  coupling  resonances. 

The  step>function  pulse  method  has  the  advantage  that  it  contains 
a  wide  spectrum  of  frequencies,  and  allows  the  system  to  reveal  its  own 
resonances.  In  the  single-shot  mode  it  requires  more  excitation  to  achieve 
a  given  signal /noise  ratio.  In  the  repetitive  pulse  mode  the  signal /noise 
can  be  enhanced  by  digital  signal  averaging.  It  requires  Fourier  analysis 
of  the  input  and  output  signals. 

The  damped-sine  method  is  frequently  used  to  drive  electronics 
boxes,  albeit  at  threat-like  levels.  It  falls  intermediately  between  the 
other  two  methods,  because  a  number  of  frequencies  are  required  to  cover  the 
possible  resonances,  but  each  excitation  has  a  broader  frequency  spectrum 
than  the  CW  method.  In  principle,  the  center  frequencies  should  be  close 
enough  to  cover  all  intermediate  frequencies. 

3. 2.2.2  Diagnostics. 

The  second  part  of  any  test  is  the  diagnostics;  the  measurements 
that  are  made  to  determine  the  response  of  the  test  object.  Again  these  are 
strongly  determined  by  the  object  of  the  test:  I.e.  the  uncertainty  it's 
intended  to  resolve.  Generally,  the  diagnostics  falls  into  three  catego¬ 
ries:  excitation  and  response  measurements  and  functional  diagnostics. 

We  define  excitation  measurements  as  those  that  measure  the  char¬ 
acter  of  the  transients  induced  into  the  system,  excluding  the  response  of 
the  electronic  devices.  Response  measurements  determine  the  specific  reac¬ 
tions  of  the  electronic  devices  to  the  electrical  excitations.  We  define 
functional  diagnostics  as  those  response  measurements  that  are  directly 
related  to  the  function  of  the  electronic  subsystem. 
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For  example,  consider  a  radio  receiver  under  test  by  direct  elec¬ 
trical  injection  on  its  cabling.  Excitation  diagnostics  would  include  mea¬ 
surements  on  the  pin  currents/ voltages.  Response  diagnostics  would  include 
measurements  of  the  signals  appearing  within  the  amplifier  chain.  Func¬ 
tional  diagnostics  would  look  at  the  character  of  the  information  out  of  the 
radio  to  determine  whether  it  was  within  acceptable  ranges  (e.g.  duration  of 
disturbance,  signal /noise  ratio  after  exposure). 


The  objectives  of  the  test  will  strongly  influence  the  tradeoffs 
that  must  be  made  in  the  diagnostics.  Excitation  and  response  measurements 
provide  the  best  information  for  comparison  with  analysis,  but  introduce  the 
risk  of  distur.^ing  the  test  item's  response.  Functional  diagnostics  is  most 
closely  related  to  the  system's  application,  and  usually  is  easily  made  in  a 
non-  disturbing  fashion,  but  provides  little  in  the  way  of  interpretable 
evidence  if  a  surprise  is  found.  Nor  does  it  provide  information  on  inci¬ 
pient  failures,  i.e.  malfunctions  that  may  occur  at  very  slightly  higher 
excitation  levels. 


3.2.3  Tradeoffs. 


The  foregoing  outline  of  analysis  and  test  methods  suggests  the 
tradeoffs  for  planning  an  EMP  hardness  validation  methodology.  Usually,  the 
simpler  analyses  are  less  costly  than  tests;  the  simpler  tests  are  less 
costly  than  the  more  realistic  tests.  Design  margins  can  be  used  to  drive 
the  validation  methodology  toward  the  less  costly  options.  The  exact  choice 
of  methods  can  be  tailored  to  the  specific  application.  What  Is  needed  Is  a 
clear  definition  of  how  to  carry  out  each  of  these  methods  (e.g.  a  Stan¬ 
dard),  accompanied  by  a  rule  to  derive  the  margin  that  must  be  Incorporated 
Into  each  method's  application  to  compensate  for  its  uncertainties  (Includ¬ 
ing  unrealism). 
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The  foregoing  subsections  have  outlined  the  methods  that  can  be 
used  to  validate  the  EMP  hardness  of  a  specific  electronic  system.  The  con¬ 
trol  over  these  methods  has  to  be  incorporated  in  formal  documents,  includ¬ 
ing  specification  formats,  standards,  and  certified  data.  Table  2  presents 
a  partial  catalog  of  documents  needed  to  support  this  methodology.  Clearly, 
even  for  this  limited  objective,  there  are  many  documents,  each  of  which  has 
to  be  prepared  with  care.  Ihe  catalog  also  makes  clear  that  the  individual 
documents  are  sufficiently  limited  in  scope  to  be  both  practical  and  useful. 
Of  course,  they  may  be  bound  together  as  a  combined  document,  but  each 
method  should  be  self-sufficient. 

3.3  TREE  HARDNESS  VALIDATION. 

The  inputs  to  a  TREE  hardness  validation  of  an  electronics  system 

are; 

1.  One  or  more  specified  radiation  environments  incident  on  the 
system,  including  gammas.  X-rays  and  neutrons,  together  with 
some  measure  of  their  spectra  and  delivery  times. 

2.  A  definition  of  what  constitutes  acceptable  operation  by  the 
electronics  system. 

3.  A  description  of  the  system,  and  possibly  one  or  more  subsys¬ 
tems  for  inspection  and/or  testing. 

The  outputs  of  the  validation  task  are: 

1.  A  conclusion,  if  justified,  that  the  system,  as  designed  and 
constructed,  will  perform  as  required  in  spite  of  exposure  to 
one  or  more  specified  nuclear  environments. 


Table  2.  Partial  catalog  of  standards,  specification  formats  and 
certified  data  EMP  validation. 


TITLE 

EMP  waveform  specification 


Standard  method  for  calculation 
of  coupling  to  antenna 


Thevenin  source  for  long 
penetrating  wires 


Standard  method  for  calculation 
of  diffusion  and  leakage  through 
an  enclosure 

Standard  method  for  calculating 
shield  currents 


Certified  data  of  cable  transfer 
impedances 


Standard  method  of  measuring 
cable  transfer  impedance 


Standard  method  for  calculation 
of  Thevenin  equivalent  source 


EMP  pin  specification  format 


Standard  practices  in  EMP  circuit 
analysis 


PURPOSE  OR  CONTENTS 

Waveform  specification  format  and 
actual  specified  EMP  waveform. 

Method  of  calculating  coupling  to 
small  antenna  on  the  system  and 
coupling  to  the  system  itself. 

Given  the  EMP  waveform  this  standard 
calculates  the  Thevenin  source  for 
long  wires  attached  to  the  system. 
Provisions  for  different  ground  con¬ 
ductivities  are  included  in  the  cal¬ 
culation. 

Methods  of  calculating  diffusion  and 
leakage  through  all  possible  points  of 
entry. 

Methods  which  determine  currents  of 
Induced  on  cables  due  to  fields  inter¬ 
nal  to  the  box. 

Induces  data  on  various  types  of  con¬ 
ductors  and  connectors  over  frequency 
ranges  of  interest  to  EMP. 

Supplies  methods  to  determine  cable 
transfer  impedance  when  it  is  not 
available  in  the  previous  document. 

Provides  method  to  calculate  Thevenin 
equivalent  source  on  wires  from  shield 
currents,  cable  transfer  impedance, 
and  source  impedance. 

Specifies  format  of  threat  pulse  that 
appears  on  pins. 

Includes  standard  circuit  analysis 
methods. 
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Table  2.  Partial  catalog  of  standards,  specification  formats  and 
certified  data  EMP  validation  (concluded). 


TITLE 

Device  electrical 

Hardness  critical 


PURPOSE  OR  CONTENTS 


response  criteria  Existing  document  which  includes 

methods  to  determine  safe  operating 
threshold  regime  for  a  device  from 
stated  specifications. 

Categorization  Explains  H.C.C.  and  the  concept  of 

design  margins.  Also  included  are 
recipes  to  categorize  devices. 


2.  Identification  of  those  elements  of  the  design  whose  margins 
are  insufficient  to  assure  continued  hardness  during  serial 
production  or  routine  operation  and  maintenance. 

These  inputs  and  requirements  are  similar  to  those  discussed  in 
Section  3.2  on  EMP  hardness  validation;  only  the  interactions  and  the  rele¬ 
vant  parameters  are  different.  As  in  that  case,  the  objective  is  different 
from  establishing  a  fragility  curve.  The  requirement  is  inherently  unsymme- 
trical:  to  establish  that  the  system  is  tolerant  to  a  given  environment,  not 
to  establish  the  environment  at  which  it  will  malfunction.  There  are  other 
analogies,  as  well  in  the  partitioning  of  the  problem,  but  the  relative 
emphasis  on  various  means  of  protection  is  very  different.  Where  shielding 
and  interface  limiting  play  a  major  role  in  EMP  protection,  shielding  is 
only  effective  against  X-  rays  ,  and  protection  has  to  be  provided  at  the 
device/circuit  level  for  the  effects  of  TREE. 

3.3.1  Analysis  Methods. 

As  in  the  case  of  EMP  the  analysis  divides  naturally  into  a  coup¬ 
ling  portion  -  i.e.  the  transport  of  the  radiation  from  the  incident  envi¬ 
ronment  to  the  affected  device  -  and  a  response  portion  -  the  response  of 
the  device  to  the  radiation  at  its  location.  In  contrast  to  EMP,  the  trans¬ 
port  part  is  usually  trivial  for  the  gamma  and  neutron  components  of  the 
radiation,  and  is  only  slightly  more  complex  for  the  X-ray  component.  To  a 
reasonable  approximation,  the  transport  is  dependent  primarily  on  the  amount 
and  atomic  number  of  the  intervening  material,  and  relatively  independent  of 
other  details  of  the  geometry. 

The  device  response  is  more  complex,  and  is  subject  to  statistical 
variations  which  are  only  slightly  less  in  magnitude  than  for  electrical 
excitation.  In  the  case  of  radiation  excitation  there  are  not  even  defined 
safe  operating  levels  to  which  electrical  excitation  can  be  reduced  with 
confidence. 


since  the  absorption  length  for  gamma  rays  and  neutrons  is  gener¬ 
ally  long  compared  to  the  amount  of  intervening  material  for  most  electronic 
systems,  it's  usually  adequate  to  define  the  gamma  and  neutron  intensities 
at  the  affected  devices  to  be  equivalent  to  the  incident  intensities.  For 
this  purpose  only  one  stress  zone  is  required. 

X-rays  are  a  different  story.  For  them  the  amount  of  intervening 
material,  and  especially  the  atomic  number  of  the  material,  determines  the 
stresses  placed  at  the  devices.  Therefore,  a  zoning  scheme  similar  to  that 
used  for  EMP  is  appropriate.  Again  there  is  a  tradeoff  between  increasing 
the  number  of  zones,  with  the  worst  case  environment  in  each  zone  tailored 
to  its  shielding,  or  decreasing  the  zone  count  with  more  margin  required  for 
some  devices,  but  with  considerable  saving  in  analysis  complexity. 

3. 3. 1.2  Zone  Stresses. 

The  zone  stresses  for  gamma  rays  and  neutrons  are  usually  the  same 
as  in  the  incident  environment.  For  X-rays,  calculations  of  the  shielding 
effectiveness  are  required.  These  calculations  must  take  into  account  the  Z 
dependence  of  the  material  absorption  properties,  a  variety  of  potential 
directions  from  which  the  incident  radiation  may  expose  the  system,  and  the 
variation  of  the  photon  spectrum  as  it  passes  through  the  absorbing  mater¬ 
ial.  There  are  a  hierarchy  of  methods  for  calculating  X-ray  transport. 

The  simplest  method  divides  the  incident  fluence  into  a  convenient 
number  of  energy  groups,  and  transports  each  group  with  an  exponential 
attenuation  factor  determined  by  the  effective  energy  absorption  cross  sec¬ 
tion.  This  calculation  can  be  performed  by  hand,  or  ,  more  conveniently,  by 
a  standard  spread-sheet  program  on  a  personal  computer.  It  is  reasonably 
accurate  for  modest  shielding  factors  -  i.e.  attenuations  not  much  greater 
than  a  factor  of  100.  At  the  deeper  locations  it  tends  to  over-estimate  the 
stress,  which  is  consistent  with  a  conservative  approach. 


More  complex  calculations  depend  on  better  description  of  the 
absorbing  geometry,  and  more  detailed  tracking  of  photon  energies  as  they 
are  decreased  by  Compton  scattering.  Usually,  these  calculations  are  per¬ 
formed  on  a  main- frame  computer  (e.g.  VAX  , CYBER,  CRAY)  using  Monte  Carlo 
programs.  These  programs  must  follow  many  interaction  histories  to  generate 
sufficient  statistics.  They  can  be  performed  in  1,  2  or  3  dimensions, 
depending  on  the  accuracy  required  and  the  computer  budget.  They  can  gene¬ 
rate  more  accurate  answers  for  complex  geometries.  One  must  remember,  how¬ 
ever,  that  if  the  difference  between  the  accurate  answer  and  an  approximate 
one  is  significant,  the  control  of  the  variables  entered  into  the  more  com¬ 
plex  calculation  (e.g.  the  geometrical  description  of  the  system)  is  also 
critical.  All  too  often  much  effort  is  expended  on  an  accurate  radiation 
transport  calculation  for  an  ill-defined  or  ill-controlled  geometry,  or  when 
the  statistics  of  device  response  far  outweighs  the  uncertainty  in  radiation 
exposure. 


3. 3. 1.3  Equipment  Response. 


As  in  the  case  of  EMP,  electronic  equipment  responses  to  radiation 
can  be  categorized  as  damage  and  upset,  depending  on  whether  there  is  a 
relatively  permanent  degradation  of  device  characteristics.  There  are  some 
additional  complexities  associated  with  short-term  annealing  (  especially  in 
time  scales  of  less  than  1  sec)  of  the  damage. 


a.  Damage  Analysis. 

Damage  analysis  involves  two  parts:  establishing  the  device  para¬ 
meter  bounds  for  acceptable  circuit  function,  and  establishing  the  device 
response  to  the  given  radiation  stress.  At  one  time  establishing  acceptable 
device  parameter  bounds  involved  much  complicated  circuit  analysis,  because 
the  individual  circuits  were  custom  designed  from  discrete  components.  In 


many  modern  electronics  most  of  the  functions  are  performed  by  microcir¬ 
cuits,  which  have  certain  inherent  performance  requirements.  More  or  less  a 
microcircuit  function  defines  acceptable  performance,  as  distinct  f rom  i  a 
transistor,  whose  satisfactory  performance  depends  on  the  specific  circuit 
in  which  it's  incorporated.  There  are  some  variables  in  microcircuit  per¬ 
formance.  The  range  of  power  supply  voltages  over  which  it  will  perform 
acceptably  is  one.  Another,  for  high  speed  circuits,  is  the  maximum  clock 
frequency  at  which  it  will  perform  satisfactorily.  For  analog  circuits 
there  is  also  the  gain-bandwidth  product,  and  sometimes  input  offsets.  In 
digital  circuits  there  is  also  fanout,  which  determines  the  maximum  number 
of  inputs  driven  by  an  output.  Nevertheless,  these  requirements  can  usually 
be  determined  much  more  easily  than  the  analysis  of  a  typical  discrete-part 
circuit. 

Both  ionizing  radiation  (gammas  and  X-rays)  and  displacing  radia¬ 
tion  (e.g.  neutrons)  can  produce  permanent  damage  in  electronic  devices, 
especially  semiconductor  devices.  As  distinct  from  EMP,  in  which  the  damage 
tends  to  be  catastrophic,  TREE  manifestations  are  mostly  in  the  form  of  gra¬ 
dually  increasing  degradation  as  the  exposure  increases.  The  variations  in 
response  of  supposedly  identical  devices  is  a  serious  problem,  because  the 
variables  that  determine  the  radiation  response,  especially  to  ionizing 
radiation,  are  not  tightly  controlled  by  the  manufacturing  process. 

Nevertheless,  there  are  some  simple  techniques  available  to  the 
analyst  if  the  margin  is  sufficient.  For  example,  in  both  bipolar  and  FET 
devices  it's  possible  to  establish  an  upper  limit  on  the  rate  at  which  dis¬ 
placing  radiation  (e.g.  neutrons)  can  produce  damage.  This  upper  limit  can 
be  determined  from  device  characteristics  reported  in  their  specification 
sheets  (e.g.  breakdown  voltages  and  frequency-band  width  product).  If  this 
worst  case  response  is  acceptable,  no  further  analysis  or  testing  is 
requi red. 


Similar  upper  limits  can  be  established  for  long-term  ionization 
effects  in  semiconductor  devices,  but  they  are  not  as  useful,  particularly 
in  MOSFET  and  high  performance  OpAmp  applications. 

The  next  level  of  analysis  uses  device  test  data  for  similar  gen¬ 
eric  devices.  There  are  large  variations  in  test  results  for  each  type  of 
device,  and  between  manufacturers,  and  between  lots  for  a  given  manufactur¬ 
er.  However,  if  the  margin  is  sufficient  to  encompass  these  variations,  a 
safe  conclusion  is  justified. 

Finally,  one  may  have  to  resort  to  testing  to  generate  acceptable 
response  data.  Unfortunately,  this  almost  always  means  that  the  margin  is 
insufficient  to  avoid  ongoing  testing  to  meet  hardness  assurance,  hardness 
maintenance  and  hardness  surveillance  requirements. 

b.  Upset  Analysis. 

Upset  analysis  for  TREE  excitations  is  similar  to  the  EMP  problem 
discussed  in  Section  3.2. 1.3.  Again  a  functional  analysis,  the  same  func¬ 
tional  analysis  required  for  EMP,  is  the  best  screen  to  eliminate  most 
potential  problem  spots. 

Generic  upset  thresholds  of  microcircuits  can  be  used  with  consi¬ 
derable  confidence.  In  general,  the  variation  of  upset  threshold  is  not 
nearly  as  large  for  a  given  device  type  as  the  variation  in  long-term  ioni¬ 
zation  damage. 

3.3.2  Testing. 

The  foregoing  discussion  of  EMP  testing  has  a  direct  analog  in 
TREE  applications.  The  purpose  of  the  test  -  i.e.,  the  uncertainty  it  is  to 
resolve  -  needs  to  receive  priority  attention.  After  that  the  test  require¬ 
ments  -  incident  radiation  and  diagnostics  -  follow  naturally. 
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The  range  of  parameters  for  excitations  include  the  type  of  radia¬ 
tion,  the  spectrum  and  the  time  scale.  Long  term  damage  can  usually  be  pro¬ 
duced  with  a  long-term  steady-state  radiation.  Transient  effects  and  short¬ 
term  annealing  require  more  intense,  pulsed  radiation  sources.  The  effects 
of  penetrating  radiation  in  which  the  Z-dependence  of  absorption  is  not 
important  can  be  produced  by  a  wide  range  of  radiation  spectra.  If  photo¬ 
electric  absorption  is  important,  special  attention  is  required  to  the  spec¬ 
trum.  In  this  case  there  is  usually  a  strong  tradeoff  between  realism  in 
absorption  characteristics  and  available  intensity. 

This  subject  has  received  much  attention  as  part  of  Simulation 
Fidelity  investigations.  The  important  point  here  is  that  the  results  of 
such  investigations  must  be  incorporated  into  recipes  that  can  be  routinely 
applied,  and  legally  approved,  to  equipment  hardness  validation. 

3.3. 2.2  Diagnostics. 

The  diagnostics  issues  also  are  analogous  to  the  EMP  discussion. 
Detailed  excitation  and  response  diagnostics  provide  better  information  for 
comparison  with  analysis;  functional  diagnostics  minimizes  the  system  per¬ 
turbation  and  generates  directly  applicable  functional  response  conclusions. 
The  rules  by  which  these  decisions  are  made  need  to  be  written  down. 

3.3.3  Tradeoffs. 


The  tradeoffs  in  choosing  particular  TREE  validation  methods  have 
the  same  character  as  for  EMP  applications.  More  complex  methods  should  be 
used  only  when  the  margin  is  insufficient  to  justify  simple  bounds.  This 
should  occur  only  when  the  extra  costs  of  hardness  validation,  assurance, 
maintenance,  and  surveillance  are  preferable  to  the  cost  of  incorporating  a 
larger  margin  in  the  design. 


3.3.4  Appl fcatlons. 


As  in  the  EMP  case,  a  lot  of  documents  are  needed  to  formalize  the 
analysis  and  test  methods  to  support  the  various  validation  options.  These 
include  standards  for  analyses  and  tests,  specification  formats  for  various 
levels  of  assembly  from  the  elementary  device  up,  and  certified  data/rela¬ 
tions  (e.g.  generic  worst  case  bounds  on  device  response). 

Sample  partial  drafts  of  two  of  the  documents  that  are  required 
are  presented  in  Appendices  B  and  C.  These  are  not  finished  products,  but 
only  to  illustrate  the  approach  that  can  be  taken. 


DRAFT  STANDARD  STATISTICAL  METHODS  FOR  HARDNESS  VALIDATION  ANAYLSIS 


A.l  SCOPE. 


The  scope  of  this  document  is  limited  to  the  statistical  tests 
required  to  categorize  electronic  piece  parts. 

A.  1.1  OBJECTIVE. 

A  radiation  hardened  system  is  designed  to  survive  a  specific  set 
of  nuclear  threats.  This  means  that  the  response  of  individual  piece  parts 
to  radiation  environments  must  fall  within  certain  well  defined  acceptance 
limits.  Typically,  the  radiation  environments  can  produce  a  number  of  dam¬ 
aging  effects.  In  the  hardness  validation  approach  a  methodology  is  devel¬ 
oped  for  the  analysis  of  piece  part  response  to  each  potentially  damaging 
effect.  Each  method  imposes  a  design  margin  to  cover  uncertainties  and 
inaccuracies.  The  uncertainties  arise  because  of  the  wide  variability  char¬ 
acteristic  of  device  radiation  response.  Consequently,  statistical  analysis 
plays  a  critical  role  in  the  definition  and  the  quantitative  assessment  of 
design  margins.  Questions  concerning  the  interrelationship  of  sample  size, 
confidence  level,  failure  probability,  and  the  sample  parameters  can  be 
quantitatively  addressed  using  the  statistical  approach.  In  the  past  ambi¬ 
guities,  inconsistencies,  and  incompleteness  have  been  associated  with 
descriptions  of  statistical  procedures  applied  to  component  categorization. 
The  objective  here  is  to  describe  the  useful  procedures  as  clearly  and  unam¬ 
biguously  as  possible.  Controversial  questions  and  questions  yet  to  be 
addressed  will  be  identified. 


A.1.2 


DOCUMENT  APPLICATION. 


This  document  is  applicable  to  neutron  and  total  ionizing  dose 
effects  in  all  piece  parts  used  in  military  systems.  The  environments  of 
concern  include:  endo-  and  exo-  atmospheric  nuclear  weapon  environments, 
nuclear  power  sources,  and  natural  space  radiation  environments. 

Experimental  data  shows  that  temperature,  circuit  operating  condi¬ 
tions,  and  simulation  fidelity  (the  appropriateness  of  the  radiation  test 
facility  for  simulating  the  effect  of  interest)  all  play  important  roles  in 
determining  the  response  observed.  An  extensive  literature  exists  which 
details  the  role  of  these  factors  in  determining  device  response.  The  focus 
in  the  present  document,  however,  is  the  relationship  between  survivability 
goals  (survival  probability  and  confidence  level),  sample  characteristics 
(mean,  standard  deviation,  and  size),  design  margins,  part  categorization 
criteria,  design  margin  breakpoints  (demarcation  levels),  and  test  proce¬ 
dures  for  each  part  category  (wafer  level,  lot  level,  relative  frequency). 

A. 2  REFERENCED  DOCUMENTS. 

A.2.1  GOVERIMENT  SPECIFICATIONS  AND  STANDARDS. 

Unless  otherwise  specified,  the  following  specifications  and  stan¬ 
dards,  in  that  issue  of  the  Department  of  Defense  Index  of  Specifications 
and  Standards  specified  in  the  solicitation,  form  a  part  of  this  specifica¬ 
tion  to  the  extent  specified  herein 

SPECIFICATION 

MILITARY 

MIL-S-19500  -  Semiconductor  Devices,  General 

Specification  For 

MIL-M-38510  -  Microcircuits,  General  Specification  For 

MIL-C-45662  -  Calibration  System  Requirements. 


STANDARD 


MIL-STD--202  -  Test  Methods  For  Electronics  and 
Electrical  Component  Parts. 

MIL-STD‘750  ~  Test  Methods  For  Semiconductor  Devices. 

MIL-STD-883  ~  Test  Methods  And  Procedures  For 
Microel  ectronics 

Required  copies  of  specifications  and  standards  can  be  obtained 
from  the  contracting  activity  or  as  directed  by  the  contracting  officer. 

A.3  OEFINITIONS. 

A.3.1  OEFINITIONS.  THE  FOLLOWING  OEFINITIONS  APPLY: 

A.3. 1.1  Characterization  test.  The  radiation  characterization  test  con> 

sists  of  exposing  the  test  parts  to  increasing  total  dose  values 
until  the  radiation  induced  parameter  value,  PARr,  for  each 

part,  passes  the  specified  failure  value. 

A.3. 1.2  Confidence  Level.  The  probability  P  (usually  given  in  percent) 
that  at  least  a  fraction,  F,  of  the  parts  in  the  lot  will  survive. 

A. 3. 1.3  Survivable  Fraction.  The  proportion  of  the  parts  that  survive 

which  is  obtained  from  the  cumulative  portion  of  the  distribution 
below  the  failure  level. 

A. 1.3.4  Part.  The  electronic  part  type  used  in  a  specific  circuit  appli¬ 
cation  or  test. 

A.3. 1.5  Parameter  Value.  The  electrical  parameter  value  measured  for  a 
device. 


A. 3. 1.6  Lot.  The  collection  of  parts  from  which  the  sample  has  been 
taken. 

A. 3. 1.7  Validation  Test.  The  hardness  validation  testing  of  a  sample  of 
parts  from  a  procurement  lot. 

A. 3. 1.8  Parameter  Failure  Value.  The  circuit  failure  value  P  of  a  parti¬ 
cular  parameter  for  the  device  under  evaluation.  This  is  gen¬ 
erally  determined  by  a  worst  case  circuit  analysis  prior  to  radia¬ 
tion  testing. 

A. 3. 1.9  Parameter  Specification  Value.  The  device  parameter  specification 
value  prior  to  irradiation. 

A.3.1.10  Radiation  Induced  Parameter  Value.  The  postirradiation  parameter 
value  PARr. 

A.3.1.11  Measured  Mean  of  the  Logarithms  of  PARr.  For  the  lognormal  dis¬ 
tribution  where  PARri  is  the  parameter  value  measured  for  the 
ith  device. 

n 

IniPARp)  =  1/n  In  ^PAR^.j 

A.3.1.12  Measured  Standard  Deviation  of  the  Logarithms  for  PARr 
s'=ll/(n-l)  Hln(l>AR., )  - 

I  i-lL  J  I 

A.3.1.13  One  Sided  Tolerance  Limit.  Kjl  is  calculated  for  a  normal  dis¬ 
tribution.  In  the  present  statistical  treatment  of  device 
response  to  radiation,  it  is  assumed  that  the  logarit  m  of  the 
parameter  values  follow  a  normal  distribution.  For  parameters 


that  increase  with  radiation  exposure,  Kjl  is  a  factor  such  that 
the  probability  is  P,  that  at  least  a  fraction  F  of  the  lot,  will 
have  parameter  values  less  than  the  mean  plus  times  the 

standard  deviation.  For  parameters  that  decrease  with  radiation 
exposure,  <tl  is  a  factor  such  that  the  probability  is  P,  that 
at  least  a  fraction  F  of  the  lot,  will  have  parameter  values 
greater  than  the  mean  minus  Kjl  times  the  standard  deviation. 

A. 3. 1.14  Parameter  Design  Margin.  Mote  that  the  design  margin  is  NOT 
defined  in  terms  of  the  logarithm  of  the  device  parameter  response 
but  rather  in  terms  of  the  nonlogarithmic  parameter  values.  It  is 
customary  to  approximate  the  mean  of  a  lognormal  distribution  with 
the  geometric  mean  given  by  exp  (InlPARp)). 


PDM  =  PARj.  /exp 

For  values  that  decrease  with  radiation 
PDM  =  exp  {TnWM^))/PkR^ 

A. 3. 1.15  Total  Exposure.  The  total  ionizing  dose  or  fluence  will  be 
designated  Xp.  For  ionizing  radiation  the  units  are  rads(Si), 
for  neutrons  the  units  are  neutrons/cm^ . 

A.3.1.16  Total  Radiation  Failure  Value.  Xp  is  the  total  exposure  value 
for  the  part  under  test  at  which  it  fails. 

A.3.1.17  Measured  Logarithmic  Mean  of  Exposure. 

I 

Let  Y'l  =  In  (X^  )  then 

j 
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T  =  l/n  ^  Y, 


i  =  l 


is  the  geometric  mean  which  approximates  the  mean  of  a  lognormal 
distribution. 


A.3.1.18  Measure  Logarithmic  Standard  Deviation  of  Exposure. 


If  Y  =  In  (Xp)  then,  for  the  lognormal  distribution; 


1  " 

s(Y)  =  »  (l/(n  -  11) 

I  ' 


Y  -  Y 
i 


I- 


!  i 


A. 3. 1.19  Part  Categorization  Criterion. 


The  PCC  is  defined  to  be 


PCC  =  exp[KTL  s(Y)] 


As  we  shall  see  it  is  a  measure  of  the  degree  to  which  the  design 
margin  is  eroded  by  the  dispersion  of  sample  results  and  the 
uncertainty  associated  with  a  small  sample. 


A. 3. 1.20  Total  Exposure  Specification.  The  maximum  exposure  the  part  in 
question  must  survive  is  designated  X5. 


A. 3. 1.21  Exposure  Mean  Failure  Value.  This  is  the  measured  logarithmic 
mean  failure  value  which  is  approximated  by  the  geometric  mean- 


=  exp(Y  ) 
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A. 3. 1.22  Total  Exposure  Design  Margin. 

TDM  =  Xj.  / 

A.4  VALIDATION  METHODOLOGY  -  GENERAL. 

Hardness  validation  for  military  systems  with  nuclear  survivabi¬ 
lity  requirements  generally  involves  both  analysis  and  experimental  tests. 
In  both  cases  the  goal  is  to  validate  the  design  hardness  by  identifying  the 
uncertainties  involved  and  determining  whether  they  have  been  appropriately 
accounted  for.  The  uncertainties  are  allowed  for  in  hardened  designs  by 
using  piece  parts  with  adequate  design  margins.  The  design  margins  employed 
incorporate  a  number  of  trade-offs  of  which  the  following  are  typical: 

0  Small  design  margins  require  realistic  tests.  The  more  rea¬ 
listic  the  test,  the  higher  its  cost.  The  cost  is  higher 
because  fewer  variations  in  test  parameters  are  allowed. 

0  The  simpler  the  tests  and  the  greater  the  reliance  on  calcu¬ 
lations,  the  greater  the  design  margin  required. 

0  The  larger  the  design  margin,  the  more  costly  the  piece 
parts. 

A. 5  VALIDATION  METHODOLOGY  PROCEDURES. 

A.5.1  THE  VALIDATION  PROCESS  -  DATA  COLLECTION. 

Before  statistical  calculations  can  be  initiated  three  kinds  of 
information  must  be  acquired:  radiation  levels  at  the  location  of  the  part, 
past  radiation  response  data  on  the  devices,  and  the  failure  criteria  to  be 
appl ied. 
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A. 5. 1.1  Radiation  Level  at  the  Part.  The  radiation  levels  to  which  the 
piece  part  will  be  exposed  in  the  system  must  be  specified.  These 
levels  will  not  necessarily  be  the  system  levels  because  of 
shielding  from  the  surrounding  subsystems.  A  worst  case  estimate 
involves  assuming  the  system  levels  apply  (no  shielding).  The 
levels  can  usually  be  estimated  approximately  using  simple  analy¬ 
tic  approximations.  These  should  be  used  primarily  to  determine 
whether  computer  code  calculations  would  be  warranted  and  not  as 
design  guidelines.  A  wide  range  of  codes  are  available  for  accu¬ 
rate  estimates  of  radiation  levels  if  their  application  is  indi¬ 
cated. 

A.5.1.2  Device  Response  Data.  All  past  data  should  be  considered.  Since 
the  design  has  already  been  accomplished  we  can  assume  that  at 
least  some  data  exists.  The  task  will  be  to  determine  whether  the 
quality  and  extent  of  the  data  is  consistent  with  its  applica¬ 
tion. 

A. 5. 1.3  Failure  Criteria.  A  worst  case  circuit  analysis  is  required  to 
establish  the  parameter  value  at  which  the  piece  part  can  be  con¬ 
sidered  to  have  failed.  In  addition,  it  is  necessary  to  decide 
upon  the  failure  probability  level  that  is  tolerable.  For  worst 
case  estimates  it  can  be  assumed  that  all  devices  in  the  system 
must  operate  properly  and  have  the  same  maximum  probability  of 
failure.  For  example,  if  the  system  is  to  have  a  survival  proba¬ 
bility  of  90^  and  contains  10**  piece  parts,  the  failure  budget  for 
each  part  would  be  10“^. 

A.5.2  THE  VALIDATION  PROCESS  -  PART  CATEGORIZATION. 

The  categorization  of  parts  involves  two  basic  elements: 


@8 


0  The  determination  of  design  margins  for  the  parts. 

0  The  specification  of  criteria  for  assigning  the  parts  to 
categories  on  the  basis  of  the  design  margins. 

In  addition,  it  is  necessary  to  specify  what  category  assignments  signify 
with  respect  to  testing  and  procurement. 

A. 5. 2.1  Design  Margins.  In  this  document  we  advocate  that  only  the  design 
margin  based  upon  fluence  to  failure  be  used.  As  previously 
defined  this  is  given  by 

TOM  =  Xp/Xs 

Where  Xp  is  the  geometric  mean  derived  from  the  available  data  and  X5  is 
the  specification  value  after  shielding  effects  have  been  accounted  for. 
The  geometric  mean  is  calculated  from  the  logarithmic  mean  of  the  observed 
device  response  in  the  samples  tested. 


Xp  =  exp  (T) 


where 


A. 5. 2. 2 


Y  =  1/n  I  Y 
i=l  ’ 


Y  =  In(Xp) 

Categorization  Criteria.  Two  approaches  to  assigning  criteria  for 
categorizing  parts  have  evolved:  The  design  margin  breakpoint 
method  (DMBP),  and  the  part  categorization  criterion  method  (PCC). 
Both  of  these  involve  taking  account  of  the  dispersion  in  part 
response.  This  is  essential  if  the  failure  probability  is  to  be 
kept  within  prescribed  limits.  The  first  applies  to  systems  with 
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moderate  requirements  where  it  is  practical  to  assign  a  single 
criterion  to  all  parts  of  the  system.  The  second  method  applies 
to  systems  with  more  severe  requirements  where  categorization  cri¬ 
teria  must  be  developed  for  each  part  type. 

A. 5. 2. 2.1  Determination  of  the  Part  Categorization  Criterion.  This  is  done 
in  three  steps: 


Determine  the  measured  logarithmic  standard  deviation  for  the 
lot  type  of  interest 


If  Y  =  In  (Xp)  then,  for  the  lognormal  distribution: 


(  " 

s(Y)  =  (l/(n  -  D)  I 

I  1=1 


2  j  ih 
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Determine  the  one  sided  tolerance  limit  from  tabulated  values 
for  the  confidence  level  and  survival  probability  previously 
assigned. 


0  Calculate  the  PCC 


PCC  =  exp[KjL  s{Y)] 

Determination  of  the  Design  Margin  Breakpoint.  This  can  be  done 
in  three  steps: 


Estimate  a  worst  case  standard  deviation  for  the  part  types 
involved. 


0 


In  this  case  we  assume  a  large  sample  so  that  the  one  sided 
tolerance  limit  can  be  replaced  with  the  number  of  standard 
deviations  needed  to  achieve  the  survival  level  desired. 


0  Calculate  the  DMBP 
DMBP  =  exp[KTL(Y)] 

We  see  that  the  procedure  in  the  two  cases  is  essentially  the  same 
except  that  the  values  for  DMBP  will  generally  be  larger  than 
those  for  PCC. 

A. 5. 2.3  Categories  of  Parts. 

A. 5. 2. 3.1  Category  -1  Parts.  There  are  several  types  in  this  category  but 
the  only  one  requiring  statistical  tests  is  the  group  designated 
CAT-IM.  These  parts  are  of  marginal  hardness  and, therefore, 
require  testing  each  time  a  lot  is  purchased  or  other  special 
screening  procedures.  The  presence  of  such  parts  imposes  a  consi¬ 
derable  cost  on  the  system.  In  these  cases  the  design  margin  is 
less  than  PCC  but  greater  than  two. 

A. 5. 2. 3.2  Category  -2  Parts.  These  parts  do  not  require  routine  testing  but 
may  require  occasional  tests.  In  these  cases  the  design  margin 
(TDM)  exceeds  PCC. 

A. 5. 2. 3.3  Non-critical  Parts.  These  parts  have  such  large  design  margins 
that  when  compared  to  the  categorization  criteria  they  do  not 
require  testing. 

A. 5. 2. 3.4  Unacceptable  Parts.  These  include  parts  with  very  low  design  mar¬ 
gins.  Parts  with  design  margins  less  than  one  are  always  elimi¬ 
nated  and  those  with  values  between  one  and  two  should  be  if 
alternatives  are  available. 


DRAFT  STANDARD  METHOD  FOR  NEUTRON  TRANSPORT  CALCULATIONS 


B.l  SCOPE. 

This  method  describes  computational  techniques  for  transforming 
the  environmental  radiation  levels  specified  for  the  system,  to  the  reduced 
levels  encountered  at  piece  part  locations  within  the  system.  It  allows  for 
intervening  materials  that  may  act  as  effective  shields. 

B.1.1  OBJECTIVE. 

In  certain  applications  a  substantial  amount  of  material  may  sur¬ 
round  sensitive  electronic  piece  parts.  In  such  cases,  neglect  of  the 
shielding  effect  of  such  material  on  the  specified  radiation  levels  could 
add  unwarranted  costs  to  the  hardening  process.  A  hierarchical  approach  to 
the  problem  is  indicated.  In  this  approach  a  series  of  analyses  can  be 
undertaken  in  which  the  design  margins  required  decrease  as  the  complexity 
of  the  analysis  increases.  This  document  outlines  acceptable  procedures  for 
arriving  at  reduced  environmental  radiation  levels  by  applying  radiation 
transport  analyses. 

B.l. 2  DOCUMENT  APPLICATION. 

This  document  is  applicable  to  the  calculation  of  shielding 
effects  on  all  piece  parts  used  in  military  systems.  The  environments  of 
concern  include  nuclear  weapons  and  nuclear  power  sources. 
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B.2 


REFERENCED  DOCUMENTS. 


B.2.1  THE  RADIATION  SHIELDING  INFORMATION  CENTER  (RSIC). 

The  Radiation  Shielding  Information  Center  is  located  at  Oak  Ridge 
National  Laboratory,  Post  Office  Box  X,  Oak  Ridge,  Tennessee  37831,  operated 
by  Martin  Marietta  Energy  Systems,  Inc.  for  the  U.S.  Department  of  Energy, 
telephone  number  615-  674-6176.  The  Center  collects,  organizes,  evaluates, 
and  disseminates  shielding  information  related  to  radiation  from  reactors, 
weapons,  accelerators,  and  space  radiations.  Packages  of  computer  codes  and 
related  information  can  be  obtained  from  the  center. 

B.2. 2  GENERAL  REFERENCES. 

Reactor  Shielding  for  Nuclear  Engineers,  N.M.  Schaeffer,  Editor, 
Technical  Information  Center,  Oak  Ridge,  TN  (1973), 

Engineering  Compendium  on  Radiation  Shielding,  R.G.  Jaeger  et  al., 
Springer-Verlag  New  York  (1970). 

B.3  PROCEDURES. 

B.3.1  TRANSPORT  CALCULATIONS  -  APPROXIMATE. 

B.3. 1.1  General. 

It  is  useful  to  estimate  the  amount  of  neutron  attenuation  that 
might  be  encountered  in  a  particular  application  without  having  to  resort  to 
extensive  code  calculations.  For  example,  if  the  amount  of  attenuating 
material  is  so  small  that  it  makes  a  negligible  difference  in  the  fluence  at 
the  point  of  interest,  then  it  would  be  wasteful  to  initiate  a  computer 
study.  On  the  other  hand,  if  significant  reductions  in  fluence  are  indi¬ 
cated  by  exploratory  calculations,  and  the  accuracy  of  the  calculations 
could  have  a  marked  effect  on  system  survivability,  then  analysis  using  ana¬ 
lytic  or  Monte  Carlo  methods  is  warranted. 


B.3.1.2  Removal  Cross  Section  Method. 


In  this  method  exponential  attenuation  is  assumed.  The  removal 
cross  section  has  been  measured  for  many  materials  and  is  assumed  energy 
independent.  The  rational  here  is  that  in  a  thick  shield  only  the  highest 
energy  neutrons  can  penetrate  a  significant  distance.  For  high  energy  neu¬ 
trons  the  cross  section  is  very  close  to  the  geometric  cross  section  and 
therefore  energy  independent.  Calculated  values  of  removal  cross  sections 
are  compared  with  measurements  in  Figure  1.  The  measured  values  are  for: 
H,  Li,  Be,  B,  C,  0,  A1 ,  Cl,  Fe,  Ni,  Cu,  W,  Pb,  Bi,  and  U  (Ref.  1).  Using  an 
approach  suggested  by  the  results  of  Evans  (Ref.  2)  we  show  in  Figure  1  the 
square  root  of  the  cross  section  plotted  versus  the  cube  root  of  the  mass 
number.  The  agreement  between  the  measured  and  calculated  values  is  good 
except  for  hydrogen.  The  straight  line  is  a  plot  of 

0^  ^  =  [2  ir]^  ^[RA^^  +  X] 

R  A^^^  has  the  characteristics  of  an  effective  nuclear  radius  (A  is  the  mass 
number)  and  x  an  effective  "size"  of  the  incident  neutron.  The  values  used 
to  plot  the  line  shown  were  9  x  lO***  for  R  and  1.9  x  10“^^  for  X.  The  above 
equation  provides  a  convenient  method  for  calculating  removal  cross  sections 
for  elements  that  have  not  been  measured.  Where  hydrogen  is  involved  a  cross 
section  of  one  barn  should  be  used  rather  than  a  calculated  value.  The  mea¬ 
sured  cross  sections  shown  in  Figure  1  are  on  the  low  side  of  values  that 
have  been  reported. 
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CROSS  SECTION  VS  ATOUIC  MASS 


Figure  1.  Experimental  versus  calculated  removal  cross  sections. 
B.3.1.3  Requirements. 

The  method  strictly  applies  only  to  the  attenuation  by  materials 
immersed  in  a  hydrogenous  medium  where  the  point  of  interest  is  at  least  10 
centimeters  from  the  shield.  Under  these  circumstances  it  is  found  to  give 
excellent  agreement  with  experiment  (Refs.  1,  3  -  5).  If  the  hydrogenous 
material  is  not  present,  the  use  of  removal  cross  sections  does  not  give 
accurate  results  (Ref.  6).  For  example  the  measured  result  is  a  factor  of  2 
larger  for  a  10  cm  slab  of  lead  than  that  calculated. 
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B.3.2  TRAMSPORT  CALCULATIONS  -  EXACT. 

B.3.2.1  General. 

A  general  approach  to  the  transport  problem  is  to  solve  the 
Boltzman  transport  equation.  Many  methods  of  solution  have  been  developed 
including:  spherical  harmonics,  discrete  ordinates,  and  the  method  of 
moments.  In  contrast  to  the  approximate  approach  the  accuracy  of  these 
methods  is  limited  only  by  the  labor  invested  in  the  computation.  The  dis¬ 
crete  ordinates  is  widely  used  in  applications  at  the  present  time.  A  brief 
description  of  this  method  follows. 

B.3.2. 2  Discrete  Ordinates. 

The  discrete  ordinates  method  is  a  numerical  technique  for  solving 
the  finite  difference  form  of  the  Boltzman  equation.  It  has  been  widely 
used  in  the  form  of  the  ONETRAN  code  which  was  developed  at  Los  Alamos 
National  Laboratory  (Ref.  7),  and  in  a  new  version  called  ONEDANT  (Ref.  8). 
This  code  solves  the  multi-group  Boltzman  equations  in  one-dimensional 
(slab)  geometry  (Ref.  7).  Early  reviews  of  the  method  appear  in  (Refs.  9, 
10). 


B. 3.2.3  Requirements. 

The  ONtTRAN  code  will  run  on  most  large  computers.  The  more 
recent  ONEDANT  has  been  run  on  the  CDC  7600,  CRAY  1,  and  the  IBM/190.  Exten¬ 
sive  disk  space  can  be  required  for  large  cross  section  libraries  (e.g., 
ENDF/B-V). 
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B.3.3 


MONTE  CARLO  METHODS. 


B.3.3.1  General. 

Monte  Carlo  Methods  are  a  generally  applicable  approach  to  the 
transport  problem.  However,  they  can  require  long  machine  running  times  in 
that  a  large  number  of  particle  histories  (10,000)  must  be  run  in  order  to 
obtain  statistically  significant  results.  Nevertheless,  in  many  practical 
applications  they  provide  the  only  realistic  approach  for  obtaining  accurate 
estimates  (e.g.,  in  3D  geometries).  The  MCNP  code,  described  in  the  next 
section,  is  a  popular  state  of  the  art  code.  A  wide  variety  of  variance 
reduction  techniques  have  been  applied  in  the  code  to  insure  efficiency  of 
operation. 


B.3.3. 2  MCNP  -  Monte  £arlo  ^eutron  Photon  Transport. 

Solves  transport  problems  for  neutrons  with  energies  in  the  20  Mev 
to  thermal  range.  It  is  a  general-purpose,  time  dependent,  generalized  geo¬ 
metry  (30)  computer  code.  It  also  treats  photon  transport  problems  (100  MeV 
to  1  keV)  and  coupled  neutron- photon  problems. 

B.3.3. 3  Requirements. 

The  program  is  designed  to  run  on  the  following  computers:  CDC- 
7600,  CYBER  176,  CRAY  1,  VAX,  PRIME,  and  IBM  3033.  Other  machine  version 
packages  are  available.  Extensive  disk  space  is  needed  for  the  large,  cross 
section  libraries  that  are  supplied  with  the  code  (e.g.,  ENDF/B-V).  The 
programming  language  used  is  FORTRAN  77. 
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APPENDIX  C 

STANDARD  PRACTICES  IN  TREE  CIRCUIT  ANALYSIS 


The  purpose  of  this  document  is  to  establish  a  set  of  standard 
procedures  to  verify  the  actual  hardness  levels  to  which  a  circuit  will  not 
respond  beyond  an  acceptable  level. 

The  analysis  will  cover  the  following  TREE  environments. 

1.  Neutron  Fluence 

2.  Ionization  Rate 

3.  Long  Term  Ionization  Dose  (Total  Dose) 

The  procedures  to  be  followed  in  the  Hardness  Verification  Analy¬ 
sis  is: 

1.  Obtain  circuit  schematic  and  parts  list 

2.  Obtain  radiation  test  data  for 

2.1  All  discrete  transistors 

2.2  All  diodes 

2.3  All  integrated  circuits 

2.4  Other  active  parts 

2.4.1  Crystals 

2.4.2  Optical  Isolators 

2.4.3  Fiber  Optic  Components 

2.4.4  Other  semiconductor  parts 


3.  Determine  degraded  parameter  curves  for  all  components  listed 
above  out  to  lOX  specification  level  (to  lOOX  when  reason¬ 
able). 

4.  Perform  a  functional  worst-case  circuit  analysis  using 
accepted  network  analysis  (hand  or  computer)  techniques  to 
verify  that  the  circuit  will  perform  correctly  (within  speci¬ 
fication)  when  operated  at  worst-case  temperature  and  radia¬ 
tion  degraded  device  parameters  (degraded  from  neutrons  and 
total  dose). 

5.  The  analysis  will  be  performed  at  the  maximum  design  margin 
initially.  If  circuit  performs  within  specification,  then  no 
further  analysis  is  required.  If  the  circuit  does  not  per¬ 
form  within  specification,  then  further  analysis  is  required 
at  the  intermediate  design  margin.  If  the  circuit  performs 
within  specification  no  further  analysis  is  required  but  the 
piece-parts  which  contribute  to  the  intermediate  design  mar¬ 
gin  must  be  hardness  categorized. 

6.  The  final  analysis  is  performed  at  the  base  specification 
level  when  the  circuit  performance  is  not  satisfactory  at  the 
intermediate  level.  If  the  circuit  performance  is  satisfac¬ 
tory,  then  a  separate  hardness  category  is  required  of  the 
piece- parts  causing  the  circuit  to  have  the  design  margin  of 
one. 

7.  If  the  circuit  performance  is  unsatisfactory  at  the  base  spe¬ 
cification  level,  then  the  circuit  requires  redesign  until  a 
positive  design  margin  is  met. 
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8.  The  analysis  Is  to  be  extended  to  consider  the  effects  of  the 
prompt  ionization  pulse.  The  analysis  is  to  consider  two 
conditions.  One,  the  recovery  time  of  the  semiconductors 
(transistor,  IC,  diode)  from  the  ionization  pulse  and  the 
effect  of  the  external  circuit  time  constants  on  the  circuit 
recovery  time.  (Transistor  and  diode  recovery  times  can  be 
calculated  from  the  radiation  pulse  width  and  radiation  stor¬ 
age  time;  analog  IC  recovery  times  will  require  test  data; 
digital  IC  recovery  times  can  be  estimated  from  past  data  on 
similar  devices.)  The  worst  case  recovery  time  or  distur¬ 
bance  is  then  compared  with  the  minimum  time  required  to 
affect  the  system  function.  If  the  latter  time  is  lOX  the 
disturbance  time,  the  circuit  is  rated  uncategorized.  If  it 
is  below  lOX  and  above  3X  then  it  is  rated  HCI-2.  If  it  is 
between  3X  and  IX  then  it  is  HCI-2.  Below  IX  indicates  a 
redesign. 

9.  The  final  portion  of  the  analysis  considers  permanent  damage 
to  the  semiconductor  devices  form  the  prompt  ionization 
pulse.  The  following  procedure  is  to  be  used. 

From  pulsed  ionization  tests  on  the  devices,  or  similar  devices, 
an  upper  limit  is  placed  on  the  amount  of  charge  transferred  across  the 
semiconductor  junction,  Qp,  by  a  prompt  ionization  pulse  whose  intensity 
is  lOOX  the  specified  environment  level.  This  charge  is  multiplied  by  the 
maximum  available  voltage  (e.g.,  power  supply  voltage)  to  place  an  upper 
bound  on  the  amount  of  energy  that  can  be  deposited  in  the  device.  If  this 
energy  is  less  than  1  uJ  the  device  is  uncategorized.  (An  exception  to  the 
1  uJ  limit  is  microwave  devices;  for  these  use  test  data  to  determine  safe 
limit.)  If  this  limit  is  above  the  1  mJ  level,  another  upper  bound  on  the 
energy  that  can  be  deposited  in  the  device  is  calculated  by  using  the  value 
of  the  resistance  in  the  circuit  between  the  device  and  the  power  source, 


R  .  That  upper  bound  is  V^t  /4R  ,  where  V  is  the  power  source  voltage, 

0  0  p  0  0 

R^  is  the  series  resistance,  and  tp  is  the  pulse  width  of  the  response  of 
the  device  to  an  ionization  pulse  {ionization  pulse  width  plus  storage 
time).  If  this  value  is  below  1  pJ,  the  device  is  again  uncategorized.  If 
neither  of  these  inequalities  is  satisfied,  the  smaller  of  the  two  energies 
is  compared  with  experimental  or  model-generated  data  on  the  energy 
threshold  for  the  device  for  electrical  excitation.  The  device  is  then 
categorized  as  follows. 


Relationship  Between  Calculated 
Damage  Energy  and  Damage 
Threshold  Energy 

HCI  Category 

Wdi  > 

^dl  ^t  ^  ^d2 

''d2  <  <  10^W^2 

Redesign  Required 

IM 

2 

[A  special  analysis  is  required  for  transistors  connected  to 
transformers  with  a  significant  leakage  inductance.  Ionization-induced 
burnout  has  been  observed  during  recovery  from  saturation  because  the  induc¬ 
tive  kick  may  overvolt  the  transistor.  A  simple  analysis  shows  that  this 
can  only  happen  if  the  transistor  is  driven  into  hard  saturation,  for  which 
the  transition  time  during  recovery  is  shorter  than  the  saturation  time. 
When  this  occurs,  the  peak  voltage  is  estimated  from  the  circuit  inductance, 
transistor  recovery  time,  and  saturation  current.] 


Transient  Ionization  Effects  Analysis 


Transient  ionization  effects,  that  is,  effects  on  the  semiconduc¬ 
tor  electronics  due  tc  ionizing  pulses  which  cause  photocurrent  flow,  are 
divided  into  two  categories,  temporary,  and  permanent.  Examples  are  upset 
(temporally)  and  ionization  induced  burnout  or  memory  loss  (permanent). 

Temporary  Effects 

Analysis  for  temporary  effects  begins  by  establishing  a  "loss  of 
function"  time  budget.  It  is  necessary  to  know  the  length  of  time  that  the 
system  is  not  required  to  function  properly,  yet  the  mission  can  be  ful¬ 
filled.  This  budget  may  be  established  at  the  system  level  with  the  flow- 
down  provided  to  the  circuit  or  subfunctional  level.  If  we  are  dealing  with 
a  subsystem  or  circuit,  then  the  budget  is  established  at  these  levels  with 
additional  flowdown  budgets  is  required. 

The  budgets  must  establish  an  upper  limit  on  system,  subsystem, 
and  circuit  downtimes  which  is  consistent  with  the  requirements  for  system 
operation.  The  analyst  begins  to  analyze  at  the  circuit  level  using  that 
budget. 


In  complicated  systems,  it  may  be  very  difficult  to  achieve  the 
flowdown  but  a  first  cut  should  be  attempted.  As  the  circuit  analysis  pro¬ 
gresses  it  may  be  necessary  to  adjust  the  budgets  at  the  circuit  level  as 
well  as  the  analysis  progresses,  but  at  some  point  the  flowdown  from  the 
system  levels  is  recalculated  to  reflect  these  adjustments. 
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Digital  Microcircuits 

It  is  possible  from  the  data  available,  to  make  an  upper  limit 
estimate  on  the  upset  time  of  most  digital  microcircuits  such  as  54/74 
series  TTL,  it  is  usually  less  than  5  us  but  10  ps  can  be  used  to  provide  an 
adequate  safety  margin.  Typically,  the  upset  level  for  these  circuits  is 
>10®  rad/s  (of  course,  bistable  circuits  are  not  included  here,  because  they 
may  return  to  either  state  following  upset  and  must  be  reset,  therefore  the 
upset  time  depends  on  the  time  of  arrival  of  the  reset  pulse).  The  avail¬ 
ability  of  data  should  make  this  task  straightforward. 

The  calculation  of  a  series  of  digital  circuits  (for  example,  a 
set  of  gates)  is  obtained  by  determining  the  longest  upset  time  in  the 
string.  More  complex  digital  circuits  than  those  mentioned  above  require 
test  data  (either  from  available  test  data  or  by  performing  actual  test). 

Linear  Microcircuits 

Linear  microcircuits  do  not  fall  in  any  category  of  upset  time. 
For  example,  the  LM118  recovers  in  35  ps  and  the  LMlll  recovers  in  excess  of 
150  ps  when  each  are  exposed  to  the  same  level  of  ionization  pulse.  Of 
course,  most  linear  microcircuit  recovery  times  are  defined  by  the  external 
circuit  time  constants.  For  example,  feedback  capacitance  on  op-amps  and 
smoothing  capacitors  on  voltage  regulators  contribute  significantly  to  the 
microcircuit  recovery  time.  This  is  to  be  considered  in  the  analysis. 

However,  the  analysis  may  be  less  complicated  than  one  would  think 
at  this  point.  The  analyst  should  calculate  the  longest  time  constant  in  a 
functional  circuit  that  will  dominate  the  recovery  time. 


NEUTRON  ANALYSIS 


The  failure  level  for  neutron  effects  is  based  on  those  semicon¬ 
ductor  device  parameters  which  are  known  to  be  sensitive  to  neutrons  and 
which  usually  contribute  to  transistor  functional  performance.  These  para¬ 
meters  are  listed  in  Table  1  for  three  functional  categories.  It  is  possi¬ 
ble  that  other  parameters  may  be  important  in  some  circumstances,  for  exam¬ 
ple  hjg.  The  analysts  should  be  careful  to  include  these  in  the  analysis 
in  addition  to  those  listed. 

Table  1.  Usual  parameters  to  be  calculated  for  bipolar  transistors. 

For  Switching  Functions 


min  hpE 
max  IcBO 

Vcesat 

For  Emitter  Followers 


min  hpE 
max  IcBO 
"lax  VcesaT 
max  Vbe 

Amplifiers  (AC  or  DC) 


min  hpE 
max  IcBO 
"lax  VcesAT 


1.  The  analysis  begins  by  calculating  the  ninimuni  (or  maximum) 
values  of  the  above  parameters  that  are  necessary  for  the 
circuit  (or  transistor  stage)  to  perform  to  specifications. 

When  hpE  is  the  parameter  under  calculation,  the  following  steps  will  be 
f ol 1  owed . 

1.  Calculate  minimum  current  gain  required  for  satisfactory  cir¬ 
cuit  operation. 

2.  Determine  the  collector  current  at  that  point. 

3.  Using  test  results,  plot  Al/hpp  vs  neutron  fluence, 

(log/log)  at  the  calculated  current  to  determine  the  damage 
constant  K  at  or  slightly  above  the  threat  fluence.  (Use 
mean  values  of  Al/hpp  for  a  given  point,  and  obtain  mean 
K.) 

4.  Using  the  current  gain  calculated  in  1  above  and  the  minimum 
published  gain  (at  operating  current  and  minimum  spec  tempe¬ 
rature)  calculate  the  Al/hpp  allowable. 

5.  Using  K,  and  Al/hpg,  calculate  the  fluence  at  which  failure 
occurs. 

6.  If  failure  occurs  at  a  neutron  fluence  equal  to  or  below  the 
threat  fluence,  'tf,  then  the  circuit  must  be  redesigned. 

7.  If  failure  occurs  at  a  neutron  fluence  between  and 
S***!,  the  device  is  in  hardness  category  HCI-IM. 


8.  If  failure  occurs  at  a  neutron  fluence  between  5$^  and  30$^, 
then  the  device  is  categorized  as  HCI-2. 


9.  Failure  above  30$^  allows  the  device  to  be  uncategorized. 

10.  The  design  margin  is  calculated  as  the  ratio  of  the  fluence 
at  which  failure  occurs  to  the  spec  fluence. 


followed. 


For  parameters  other  than  hpE,  the  following  steps  are  to  be 


1.  Calculate  the  minimum  (or  maximum)  value  required  for  satis¬ 
factory  circuit  operation. 

2.  From  test  data  determine  the  value  of  the  parameter  at  30X 
spec.  If  this  value  is  satisfactory,  then  the  device  is 
uncategorized. 

3.  If  unsatisfactory,  determine  the  value  at  5X  spec.  If  this 
value  is  satisfactory,  then  the  device  is  categorized  as 
HCI-2. 

4.  If  unsatisfactory,  determine  the  value  at  IX  spec.  If  satis 
factory,  then  the  device  is  categorized  as  HCI-IM. 

5.  If  unsatisfactory,  then  redesign  is  required. 

6.  The  design  margin  is  calculated  by  taking  the  ratio  of  the 
degraded  (neutrons)  value  and  the  minimum  (or  max  value). 


Integrated  circuits  have  a  different  set  of  parameters  to  consider  for  the 
analysis.  These  are  listed  in  Table  2. 

Table.  2.  Usual  paraneters  to  be  calculated  for  integrated  circuits. 

Digital  ICs 

Fanout  or  Sink  Capability 
Input  Leakage  Current 

Maximum  Clock  Frequency  (Propagation  Delay  Time) 

Linear  ICs 

Open  Loop  Gain 
Slew  Rate 

Input  Offset  Current 
Input  Offset  Voltage 

The  analyst  should  note  that  there  may  be  other  parameters  affected  by  neu¬ 
trons  that  may  contribute  to  circuit  performance. 

[NOTE:  For  digital  ICs,  the  parameters  listed  above  are  usually 
defined  in  the  spec  sheet  over  the  military  temperature  range.  In 
this  case,  it  is  not  necessary  to  include  the  temperature  effects 
in  the  analysis.  For  linear  ICs,  the  opposite  is  true,  the  para¬ 
meters  listed  above  are  specified  at  a  given  temperature  and  tem¬ 
perature  effects  are  to  be  included  in  the  analysis] 

The  analysis  steps  are  as  follows: 

1.  The  circuit  is  analyzed  to  determine  its  function  and  the  parame¬ 

ters  critical  to  the  performance  of  the  function.  It  may  be  that 
the  parameters  in  Table  2  do  not  enter  Into  the  calculation  but 
they  must  be  considered  and  evaluated. 
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2.  The  minimum  (or  maximum)  values  for  the  critical  parameters 
are  determined. 

3.  These  values  are  compared  with  the  radiation  test  data  to 
determine  acceptable  circuit  performance. 

4.  Values  in  step  2  above  those  at  30X  spec  render  the  IC 
uncategorized. 

5.  Values  between  5X  spec  and  30X  spec  place  the  IC  in  Category 
HCI-2. 

6.  Values  between  IX  spec  and  5X  spec  place  the  IC  in  Category 
HCI-IM. 

7.  Values  below  IX  spec  require  a  redesign. 

8.  The  design  margin  is  the  ratio  of  the  degraded  parameter  to 
min  (or  max)  required  value. 

This  procedure  is  acceptable  for  digital  ICs  and  for  single  stage 
linear  ICs.  However,  for  multistage  linear  circuits,  employing  several  ICs 
in  a  string  to  perform  a  function,  it  is  advantageous  to  consider  the  total 
circuit.  For  example,  where  several  op-amps  are  used  in  a  filter-amplifier 
combination.  It  may  be  that  the  overall  gain  remains  satisfactory  even 
though  one  amplifier's  gain  may  be  severely  degraded.  In  this  case,  if  that 
one  amplifier  were  considered  by  itself  it  would  be  categorized  as  HCI-IM, 
yet  when  considered  in  the  overall  string,  it  is  uncategorized. 

Neutron  specifications  may  include  both  a  multiple  burst  scenario 
and  an  enhancement  factor  for  rapid  annealing  phenomena.  If  the  neutron 
rapid  annealing  enhancement  factor  has  not  been  included,  then  the  total 
neutron  fluence  of  the  largest  single  burst  should  be  increased  by  a  factor 
of  3  to  account  for  rapid  annealing. 


NEUTRON  RELATED  DOCUMENTS 
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June  1982. 
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2.  Nuclear  Hardness  Assurance  Guidelines  For  Systems  With  Mode 
rate  Requirements,  AFWL-TR-76-147,  September  1976. 

Standards 

1.  ASTM  E763-80,  Standard  Method  For  Calculation  of  Absorbed 
Dose  From  Neutron  Irradiation  by  Application  of  Threshold- 
Foil  Measurement  Data. 
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